CVE-2016-2285

Cross-site request forgery (CSRF) vulnerability on Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, MiiNePort_E1_7080 devices with firmware 1.1.10 Build 09120714, MiiNePort_E2_1242 devices with firmware 1.1 Build 10080614, MiiNePort_E2_4561 devices with firmware 1.1 Build 10080614, and MiiNePort E3 devices with firmware 1.0 Build 11071409 allows remote attackers to hijack the authentication of arbitrary users.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://seclists.org/fulldisclosure/2016/May/7
https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:moxa:miineport_e2_1242:-:*:*:*:*:*:*:*

cpe:2.3:o:moxa:miineport_e2_1242_firmware:1.1:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:moxa:miineport_e2_4561:-:*:*:*:*:*:*:*

cpe:2.3:o:moxa:miineport_e2_4561_firmware:1.1:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:moxa:miineport_e1_7080:-:*:*:*:*:*:*:*

cpe:2.3:o:moxa:miineport_e1_7080_firmware:1.1.10:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:h:moxa:miineport_e3:-:*:*:*:*:*:*:*

cpe:2.3:o:moxa:miineport_e3_firmware:1.0:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:h:moxa:miineport_e1_4641:-:*:*:*:*:*:*:*

cpe:2.3:o:moxa:miineport_e1_4641_firmware:1.1.10:*:*:*:*:*:*:*

History

No history.

Information

Published : 2016-05-31 01:59

Updated : 2023-12-10 11:46

NVD link : CVE-2016-2285

Mitre link : CVE-2016-2285

CVE.ORG link : CVE-2016-2285

JSON object : View

Products Affected

moxa

miineport_e2_1242
miineport_e2_4561
miineport_e3
miineport_e1_7080
miineport_e2_4561_firmware
miineport_e3_firmware
miineport_e2_1242_firmware
miineport_e1_4641_firmware
miineport_e1_7080_firmware
miineport_e1_4641

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2016-2285", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2016-05-31T01:59:04.930", "references": [{"url": "http://seclists.org/fulldisclosure/2016/May/7", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability on Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, MiiNePort_E1_7080 devices with firmware 1.1.10 Build 09120714, MiiNePort_E2_1242 devices with firmware 1.1 Build 10080614, MiiNePort_E2_4561 devices with firmware 1.1 Build 10080614, and MiiNePort E3 devices with firmware 1.0 Build 11071409 allows remote attackers to hijack the authentication of arbitrary users."}, {"lang": "es", "value": "Vulnerabilidad de CSRF en dispositivos Moxa MiiNePort_E1_4641 con firmware 1.1.10 Build 09120714, dispositivos MiiNePort_E1_7080 con firmware 1.1.10 Build 09120714, dispositivos MiiNePort_E2_1242 con firmware 1.1 Build 10080614, dispositivos MiiNePort_E2_4561 con firmware 1.1 Build 10080614 y dispositivos MiiNePort E3 con firmware 1.0 Build 11071409 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios arbitrarios."}], "lastModified": "2016-11-30T03:04:47.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:miineport_e2_1242:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "11908A9E-F663-465E-8B82-BF87E3784B47"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:miineport_e2_1242_firmware:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E792AAB-B443-4B47-B107-A63E13A63BC2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:miineport_e2_4561:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E91547AA-0065-45E2-9F2B-FF3B72BD45E3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:miineport_e2_4561_firmware:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3066833-C70E-47C1-A9DE-C2BB45F2A705"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:miineport_e1_7080:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5C447CD7-DE56-400E-A2FE-DBDB2C823582"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:miineport_e1_7080_firmware:1.1.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4146FD5D-353C-46B7-B20E-332938FBF293"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:miineport_e3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C0017FB3-ADDC-477E-B4CD-4BFF1977CED0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:miineport_e3_firmware:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99CDEEBE-99D9-4236-9607-04395FA566DD"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:miineport_e1_4641:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A6D91144-8D7D-4DED-B095-0033BD8F05C2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:miineport_e1_4641_firmware:1.1.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33701ECB-E809-4969-8C98-F6E177E769A4"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}