In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
References
Link | Resource |
---|---|
https://cert.vde.com/en/advisories/VDE-2019-012/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
History
16 May 2022, 18:40
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 10.0
v3 : 9.8 |
References | (CONFIRM) https://cert.vde.com/en/advisories/VDE-2019-012/ - Third Party Advisory | |
CPE | cpe:2.3:o:tecson:lx-net_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:gok:smartbox_4_lan:-:*:*:*:*:*:*:* cpe:2.3:h:tecson:e-litro_net:-:*:*:*:*:*:*:* cpe:2.3:o:gok:smartbox_4_lan_pro_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:gok:smartbox_4_lan_pro:-:*:*:*:*:*:*:* cpe:2.3:o:gok:smartbox_4_lan_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:tecson:lx-q-net:-:*:*:*:*:*:*:* cpe:2.3:o:tecson:lx-q-net_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:tecson:lx-net:-:*:*:*:*:*:*:* cpe:2.3:o:tecson:e-litro_net_firmware:*:*:*:*:*:*:*:* |
|
First Time |
Tecson e-litro Net
Tecson lx-q-net Gok smartbox 4 Lan Tecson lx-net Gok smartbox 4 Lan Firmware Gok Tecson Gok smartbox 4 Lan Pro Firmware Tecson e-litro Net Firmware Tecson lx-q-net Firmware Gok smartbox 4 Lan Pro Tecson lx-net Firmware |
06 May 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-05-06 18:15
Updated : 2023-12-10 14:22
NVD link : CVE-2019-12254
Mitre link : CVE-2019-12254
CVE.ORG link : CVE-2019-12254
JSON object : View
Products Affected
tecson
- lx-q-net
- lx-q-net_firmware
- lx-net_firmware
- e-litro_net
- lx-net
- e-litro_net_firmware
gok
- smartbox_4_lan
- smartbox_4_lan_pro
- smartbox_4_lan_firmware
- smartbox_4_lan_pro_firmware
CWE
CWE-287
Improper Authentication