Vulnerability CVE-2019-11536


Published: 2019-05-22

Description:
Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed, allows an attacker to inject client-side commands or scripts to be executed on the device with privileged access, aka CYB/2019/19561. The attack requires network connectivity to the device and exploits the webserver interface, typically through a browser.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

Vendor: Kalkitech
Product: Sync3000 firmware 
Version:
3.6.1
3.6.0
3.5.0
3.2.6
3.2.3
3.1.16
3.1.0
3.0.0
2.24.0
2.23.0
2.22.6

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
https://www.kalkitech.com/cybersecurity/
https://www.kalkitech.com/wp-content/uploads/CYB_19561_Advisory.pdf

Copyright 2019, cxsecurity.com

 

Back to Top