CVE-2018-19392

{"id": "CVE-2018-19392", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-03-15T16:29:00.327", "references": [{"url": "https://cyberskr.com/blog/cobham-satcom-250-500.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/CyberSKR/2dfd5dccb20a209ec4d35b2678bac0d4", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unauthenticated password reset vulnerability. This could allow modification of any user account's password (including the default \"admin\" account), without prior knowledge of their password. All that is required is knowledge of the username and attack vector (/index.lua?pageID=Administration usernameAdmChange, passwordAdmChange1, and passwordAdmChange2 fields)."}, {"lang": "es", "value": "Los dispositivos Cobham Satcom Sailor 250 y 500, en versiones anteriores a la 1.25, conten\u00edan una vulnerabilidad de restablecimiento de contrase\u00f1a no autenticada. Esto podr\u00eda permitir la modificaci\u00f3n de la contrase\u00f1a de cualquier cuenta de usuario (incluyendo la cuenta \"admin\" por defecto) sin conocer su contrase\u00f1a previamente. Todo lo que se requiere es conocer el nombre de usuario y el vector de ataque (los campos usernameAdmChange, passwordAdmChange1 y passwordAdmChange2 en /index.lua?pageID=Administration)."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cobham:satcom_sailor_250_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A3ECD59-D878-4E0E-97B9-07B4C40F4AA7", "versionEndExcluding": "1.25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:cobham:satcom_sailor_250:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B8022675-88BA-4FAA-B207-7ABE86454174"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cobham:satcom_sailor_500_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "503F48B7-7F7C-4334-87AC-08B2EEA8113D", "versionEndExcluding": "1.25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:cobham:satcom_sailor_500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1A41685A-58A0-4FCC-8C92-AB3C553CE3C3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}