5.3

CVE-2019-16951

Exploit

EPSS 0.36%
Veröffentlicht 13.11.2019 19:15:12
Zuletzt bearbeitet 21.11.2024 04:31:24
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34. One can replace the localhost attribute with one's own domain name. When the product calls this domain after the POST request is sent, it retrieves an attacker's data and displays it. Also worth mentioning is the amount of information sent in the request from this product to the attacker: it reveals information the public should not have. This includes pathnames and internal ip addresses.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Enghouse ≫ Web Chat Version6.1.300.31

Enghouse ≫ Web Chat Version6.2.284.34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.572

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://mjlanders.com/2019/11/07/multiple-vulnerabilities-found-in-enghouse-zeacom-web-chat/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2019-16951

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-16951

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-16951

EUVD