Vulnerability CVE-2018-20220
Published: 2019-03-21

Description:
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information.

See advisories in our WLB2 database:
Topic
Author
Date
High
Teracue ENC-400 Command Injection / Missing Authentication
Stephen Shkardoo...
22.02.2019

Type:

CWE-287

 (Improper Authentication)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Teracue -> Enc-400 hdmi2 firmware 
Teracue -> Enc-400 hdmi firmware 
Teracue -> Enc-400 hdsdi firmware 

 References:
http://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.html
http://seclists.org/fulldisclosure/2019/Feb/48
https://zxsecurity.co.nz/research.html
Copyright 2024, cxsecurity.com

 

Back to Top