4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
38.0%
The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.
CWE-200**: Information Exposure****-**CVE-2016-1562
The DTE Energy Insight app lets DTE Energy customers track their energy usage. This information is exposed via an HTTP REST API.
The API contains a parameter 'filter'
that may be manipulated by an authenticated user. This parameter determines the customer data to be returned by the server. By manipulating the 'filter'
parameter, an authorized user may be able to obtain and query limited customer information for other users.
The researcher has released a blog post with more details.
A remote, authenticated user may be able to obtain limited information about other customers.
DTE Energy has updated its Insight server backend to mitigate this issue. The researcher has confirmed that the APIs no longer allow access to other data.
713312
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 03, 2016 Updated: March 01, 2016
Statement Date: February 26, 2016
Affected
We have not received a statement from the vendor.
DTE Energy has released version 1.7.8 to resolve the reported vulnerability. Ensure your device is updated to the latest version of this app.
Group | Score | Vector |
---|---|---|
Base | 4 | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Temporal | 3.1 | E:POC/RL:OF/RC:C |
Environmental | 2.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Jeffrey Quesnelle for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-1562 |
---|---|
Date Public: | 2016-03-10 Date First Published: |
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
38.0%