RSS   Vulnerabilities for
'Computrols building automation software'
   RSS

2019-05-24
 
CVE-2019-10848

CWE-200
 

 
Computrols CBAS 18.0.0 allows Username Enumeration.

 
 
CVE-2019-10847

CWE-352
 

 
Computrols CBAS 18.0.0 allows Cross-Site Request Forgery.

 
2019-05-23
 
CVE-2019-10850

CWE-798
 

 
Computrols CBAS 18.0.0 has Default Credentials.

 
 
CVE-2019-10849

CWE-200
 

 
Computrols CBAS 18.0.0 allows unprotected Subversion (SVN) directory / source code disclosure.

 
 
CVE-2019-10846

CWE-79
 

 
Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter.

 
 
CVE-2019-10855

CWE-200
 

 
Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.

 
 
CVE-2019-10854

CWE-77
 

 
Computrols CBAS 18.0.0 allows Authenticated Command Injection.

 
 
CVE-2019-10853

CWE-287
 

 
Computrols CBAS 18.0.0 allows Authentication Bypass.

 
 
CVE-2019-10852

CWE-89
 

 
Computrols CBAS 18.0.0 allows Authenticated Blind SQL Injection via the id GET parameter, as demonstrated by the index.php?m=servers&a=start_pulling&id= substring.

 
 
CVE-2019-10851

CWE-320
 

 
Computrols CBAS 18.0.0 has hard-coded encryption keys.

 


Copyright 2019, cxsecurity.com

 

Back to Top