Vulnerability CVE-2017-14335

Vulnerability CVE-2017-14335

Published: 2017-09-12

Description:

On Beijing Hanbang Hanbanggaoke devices, because user-controlled input is not sufficiently sanitized, sending a PUT request to /ISAPI/Security/users/1 allows an admin password change.

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5/10	2.9/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
HBGK -> Hb8216h firmware
HBGK -> Hb9020x3 firmware
HBGK -> Hb8008r firmware
HBGK -> 7208xr firmware
HBGK -> Hb8208hr firmware
HBGK -> Hb7208xt firmware
HBGK -> Hb9608x3 firmware
HBGK -> Hb8004r firmware
HBGK -> Hb8808x3 firmware
HBGK -> Hb7008kce firmware
HBGK -> Hb7008t2 firmware
HBGK -> Hb9908 firmware
HBGK -> 7204xr firmware
HBGK -> Hb8608x3 firmware
HBGK -> Hb9404x3 firmware
HBGK -> Hb9912 firmware
HBGK -> Hb7032xt firmware
HBGK -> Hb7908 firmware
HBGK -> Hb7216x3 firmware
HBGK -> Hb7208x firmware
HBGK -> Hb7916sx firmware
HBGK -> Hb7008kc firmware
HBGK -> Hb7916s firmware
HBGK -> Hb9924 firmware
HBGK -> Hb8204h firmware
HBGK -> Hb7008khe firmware
HBGK -> Hb8216x3 firmware
HBGK -> Hb8008 firmware
HBGK -> Hb7204x firmware
HBGK -> Hb7004kh firmware
HBGK -> Hb8004 firmware
HBGK -> Hb7008kh firmware
HBGK -> Hb9012x3 firmware
HBGK -> Hb8204hr firmware
HBGK -> Hb8208h firmware
HBGK -> Hb9832n16 firmware
HBGK -> Hb9932 firmware
HBGK -> Hb9408x3 firmware
HBGK -> Hb7204kl firmware
HBGK -> Hb9916 firmware
HBGK -> Hb9808n04 firmware
HBGK -> Hb9816n08 firmware
HBGK -> Hb8208x3 firmware
HBGK -> Hb7208x3 firmware
HBGK -> Hb7016t2 firmware
HBGK -> 7216xr firmware
HBGK -> Hb8016 firmware
HBGK -> Hb7024xt firmware
HBGK -> Hb7216xt firmware
HBGK -> Hb9212x3 firmware
HBGK -> Hb7016lc firmware
HBGK -> Hb7016lh firmware
HBGK -> Hb8816x3 firmware
HBGK -> Hb9824n16 firmware
HBGK -> Hb7204kk firmware
HBGK -> Hb8616x3 firmware
HBGK -> Hb9604x3 firmware
HBGK -> Hb7908x firmware
HBGK -> Hb9220x3 firmware
HBGK -> Hb7904 firmware
HBGK -> Hb7116x3 firmware
HBGK -> Hb8216hr firmware
HBGK -> Hb9904 firmware
HBGK -> Hb7004k firmware
HBGK -> Hb7216x firmware
HBGK -> Hb7108x3 firmware
HBGK -> Hb7904x firmware
HBGK -> Hb7204xt firmware
HBGK -> Hb8016r firmware

References:

https://blogs.securiteam.com/index.php/archives/3420

Vulnerability CVE-2017-14335

On Beijing Hanbang Hanbanggaoke devices, because user-controlled input is not sufficiently sanitized, sending a PUT request to /ISAPI/Security/users/1 allows an admin password change.

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

5/10

2.9/10

10/10

Remote

Low

No required

None

Partial

None

Affected software

References: