9
CVE-2019-15799
- EPSS 0.4%
- Veröffentlicht 14.11.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:29:29
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. User accounts created through the web interface of the device, when given non-admin level privileges, have the same level of privileged access as administrators when connecting to the device via SSH (while their permissions via the web interface are in fact restricted). This allows normal users to obtain the administrative password by running the tech-support command via the CLI: this contains the encrypted passwords for all users on the device. As these passwords are encrypted using well-known and static parameters, they can be decrypted and the original passwords (including the administrator password) can be obtained.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zyxel ≫ Gs1900-8 Firmware Version < 2.50\(aahh.0\)c0
Zyxel ≫ Gs1900-8hp Firmware Version < 2.50\(aahi.0\)c0
Zyxel ≫ Gs1900-10hp Firmware Version < 2.50\(aazi.0\)c0
Zyxel ≫ Gs1900-16 Firmware Version < 2.50\(aahj.0\)c0
Zyxel ≫ Gs1900-24e Firmware Version < 2.50\(aahk.0\)c0
Zyxel ≫ Gs1900-24 Firmware Version < 2.50\(aahl.0\)c0
Zyxel ≫ Gs1900-24hp Firmware Version < 2.50\(aahm.0\)c0
Zyxel ≫ Gs1900-48 Firmware Version < 2.50\(aahn.0\)c0
Zyxel ≫ Gs1900-48hp Firmware Version < 2.50\(aaho.0\)c0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.4% | 0.576 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.