CVE-2019-6545

Exploit

EPSS 21.42%
Published 13.02.2019 01:29:00
Last modified 21.11.2024 04:46:40
Source ics-cert@hq.dhs.gov
Teams watchlist Login
Open Login

AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Aveva ≫ Indusoft Web Studio Version6.1 Updatesp5

Aveva ≫ Indusoft Web Studio Version6.1 Updatesp6_p3

Aveva ≫ Indusoft Web Studio Version7.1

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp1

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp2

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p1

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p2

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p3

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p4

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p5

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p6

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p7

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p8

Aveva ≫ Indusoft Web Studio Version7.1 Updatesp3_p9

Aveva ≫ Indusoft Web Studio Version8.0

Aveva ≫ Indusoft Web Studio Version8.0 Updatep1

Aveva ≫ Indusoft Web Studio Version8.0 Updatep2

Aveva ≫ Indusoft Web Studio Version8.0 Updatep3

Aveva ≫ Indusoft Web Studio Version8.0 Updatesp1

Aveva ≫ Indusoft Web Studio Version8.0 Updatesp1_p1

Aveva ≫ Indusoft Web Studio Version8.0 Updatesp2

Aveva ≫ Indusoft Web Studio Version8.0 Updatesp2_p1

Aveva ≫ Indusoft Web Studio Version8.1

Aveva ≫ Indusoft Web Studio Version8.1 Updatep1

Aveva ≫ Indusoft Web Studio Version8.1 Updatesp1

Aveva ≫ Indusoft Web Studio Version8.1 Updatesp1_p1

Aveva ≫ Indusoft Web Studio Version8.1 Updatesp2

Aveva ≫ Intouch Machine Edition 2014 Versionr2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	21.42%	0.955

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-99 Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01

Third Party Advisory

US Government Resource

Mitigation

https://www.exploit-db.com/exploits/46342/

Third Party Advisory

Exploit

VDB Entry

https://www.tenable.com/security/research/tra-2019-04

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-6545

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-6545

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-6545

EUVD