Lucene search

NCSC.chCVELIST:CVE-2022-4778

HistoryDec 28, 2022 - 2:20 p.m.

CVE-2022-4778 path traversal in elvexys StreamX using StreamView HTML component with public web server feature

2022-12-2814:20:24

NCSC.ch

www.cve.org

cve-2022-4778

elvexys streamx

path traversal

vulnerability

streamview html component

public web server

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

29.1%

JSON

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a path traversal vulnerability that allows authenticated users to get unauthorized access to files on the server’s filesystem.
StreamX applications using StreamView HTML component with the public web server feature activated are affected.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "StreamX",
    "vendor": "elvexys",
    "versions": [
      {
        "lessThanOrEqual": "6.04.34",
        "status": "affected",
        "version": "6.02.01",
        "versionType": "patch"
      }
    ]
  }
]

References

elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

29.1%

JSON

Related for CVELIST:CVE-2022-4778