Vulners
Lucene search
EasyIO 30P Authentication Bypass / Cross Site Scripting Vulnerabilities
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2018-15819 | 2 Mar 202022:53 | – | circl |
| CVE-2018-15820 | 2 Mar 202022:53 | – | circl |
 | CVE-2018-15819 | 2 Mar 202018:07 | – | cve |
| CVE-2018-15820 | 2 Mar 202018:09 | – | cve |
 | CVE-2018-15819 | 2 Mar 202018:07 | – | cvelist |
| CVE-2018-15820 | 2 Mar 202018:09 | – | cvelist |
 | EUVD-2018-7677 | 7 Oct 202500:30 | – | euvd |
| EUVD-2018-7678 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-15819 | 2 Mar 202019:15 | – | nvd |
| CVE-2018-15820 | 2 Mar 202019:15 | – | nvd |
10
EasyIO 30P Authentication Bypass / Cross Site Scripting Vulnerabilities
INFORMATION
Product: EasyIO 30P (http://www.easyio.com)
Affected versions: < 2.0.5.27 (tested on version 2.0.5.16)
CVE IDs: CVE-2018-15820 (Stored XSS) and CVE-2018-15819 (Authentication bypass)
Remote-exploit: yes
TIMELINE
Vendor notification: 3rd August, 2018
Vendor acknowledgment: 22nd August, 2018
Patch available: 8th October, 2018
Public disclosure: 7th April, 2019
INTRODUCTION
The EasyIO-30P controllers are rugged, network centric, multi-protocols Input
/ Output controllers to accommodate general and specific applications, featuring
Bacnet IP, Bacnet Ethernet, Bacnet MSTP, Modbus Serial (RS485) and Modbus TCP/IP
protocols. It also has a built-in web server for easy configuration.
(Description from: https://www.easyio.eu/products/bms-controllers/easyio-30p-bms-controller/)
The two vulnerabilities described below affect the web application that runs in
the controllers and that is used to manage them.
VULNERABILITIES DESCRIPTION
The XSS vulnerability (CVE-2018-15820) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).
Stored XSS PoC (show alert dialog):
POST http://<device_address>/EASYIO30P-<session_token>/dev.htm
GDN=...'onMouseOver='alert(1);&GDG=Group&GDL=Location
The authentication bypass vulnerability (CVE-2018-15819) allows an attacker to
execute privileged requests in the vulnerable application without possessing
valid credentials, by manipulating the session token sent in a request. Any
string of the same size as a valid token is accepted. The attacker can use this
vulnerability to steal the credential information of application users,
including plaintext passwords (see the proof-of-concept below).
Authentication bypass PoC (access the file containing plaintext passwords):
http://<device_address>/EASYIO30P-123456789012345678901234567890123456789012345678/webuser.js
SOLUTION
Update to version 2.0.5.27
# 0day.today [2019-04-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Apr 2019 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.00685