10

CVE-2018-10630

For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is left open.

Data is provided by the National Vulnerability Database (NVD)
CrestronTsw-x60 Firmware Version < 2.001.0037.001
   CrestronTsw-1060-b-s Version-
   CrestronTsw-1060-nc-b-s Version-
   CrestronTsw-1060-nc-w-s Version-
   CrestronTsw-1060-w-s Version-
   CrestronTsw-560-b-s Version-
   CrestronTsw-560-nc-b-s Version-
   CrestronTsw-560-nc-w-s Version-
   CrestronTsw-560-w-s Version-
   CrestronTsw-760-b-s Version-
   CrestronTsw-760-nc-b-s Version-
   CrestronTsw-760-nc-w-s Version-
   CrestronTsw-760-w-s Version-
CrestronMc3 Firmware Version < 1.502.0047.001
   CrestronMc3 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.28% 0.486
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://www.securityfocus.com/bid/105051
Third Party Advisory
VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
Patch
Third Party Advisory
US Government Resource