9
CVE-2017-5260
- EPSS 33.39%
- Veröffentlicht 20.12.2017 22:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
- Quelle cve@rapid7.com
- CVE-Watchlists
- Unerledigt
LoginIn versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http://<device-ip-or-hostname>/goform/down_cfg_file by this otherwise low privilege 'user' account.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cambiumnetworks ≫ Cnpilot R190v Firmware Version <= 4.3.2-r4
Cambiumnetworks ≫ Cnpilot E410 Firmware Version <= 4.3.2-r4
Cambiumnetworks ≫ Cnpilot R190n Firmware Version <= 4.3.2-r4
Cambiumnetworks ≫ Cnpilot E400 Firmware Version <= 4.3.2-r4
Cambiumnetworks ≫ Cnpilot E600 Firmware Version <= 4.3.2-r4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 33.39% | 0.967 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
CWE-472 External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
CWE-732 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.