Vulnerability CVE-2018-14804


Published: 2018-10-01

Description:
Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution.

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

Vendor: Emerson
Product: Ams device manager 
Version:
13.5
13.1.1
13.0
12.5
12.0

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securityfocus.com/bid/105406
https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01

Related CVE
CVE-2019-10967
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the se...
CVE-2019-10965
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long command to the FTP service, which may cause memory corruption that halts th...
CVE-2019-12167
httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter.
CVE-2018-11691
Emerson VE6046 09.0.12 devices have hardcoded admin credentials allowing remote connection to the Emerson Smart Switch administrative interface via HTTP or SNMPv3.
CVE-2018-19021
A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.
CVE-2018-14808
Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products.
CVE-2018-14797
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution.
CVE-2018-14791
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products.

Copyright 2019, cxsecurity.com

 

Back to Top