CERTVDECVELIST:CVE-2019-12254CVE-2019-12254 TECSON/GOK: Improper Authentication and Access Control on multiple devices
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
58.1%
In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn’t properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
CNA Affected
[
{
"product": "e-litro net",
"vendor": "TECSON",
"versions": [
{
"lessThan": "V6.32",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "LX-Net",
"vendor": "TECSON",
"versions": [
{
"lessThan": "V6.32",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "LX-Q-Net",
"vendor": "TECSON",
"versions": [
{
"lessThan": "V6.32",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "SmartBox 4 LAN",
"vendor": "GOK",
"versions": [
{
"lessThan": "V6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "SmartBox 4 LAN PRO",
"vendor": "GOK",
"versions": [
{
"lessThan": "V6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
58.1%