Vulnerability CVE-2019-12167


Published: 2019-05-22

Description:
httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Emerson
Product: Liebert challenger firmware 
Version: 5.1e0.5;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.securityfocus.com/bid/108420
https://seclists.org/bugtraq/2019/May/51
https://www.emerson.com/en-us/support

Related CVE
CVE-2019-10967
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the se...
CVE-2019-10965
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long command to the FTP service, which may cause memory corruption that halts th...
CVE-2018-11691
Emerson VE6046 09.0.12 devices have hardcoded admin credentials allowing remote connection to the Emerson Smart Switch administrative interface via HTTP or SNMPv3.
CVE-2018-19021
A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.
CVE-2018-14808
Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products.
CVE-2018-14804
Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution.
CVE-2018-14797
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution.
CVE-2018-14791
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products.

Copyright 2019, cxsecurity.com

 

Back to Top