cnvd - cnvd-2017-38303

CNVD-2017-38303

Vulnerability from cnvd - Published: 2017-12-28

Title

Schneider Electric Pelco VideoXpert Enterprise权限提升漏洞

Description

Pelco VideoXpert Enterprise是一款企业视频管理系统。 Schneider Electric Pelco VideoXpert Enterprise存在权限提升漏洞，攻击者通过替换某些文件，可获得系统权限，插入的代码将以提升的权限级别执行。

Severity

高

Patch Name

Schneider Electric Pelco VideoXpert Enterprise权限提升漏洞的补丁

Patch Description

Pelco VideoXpert Enterprise是一款企业视频管理系统。 Schneider Electric Pelco VideoXpert Enterprise存在权限提升漏洞，攻击者通过替换某些文件，可获得系统权限，插入的代码将以提升的权限级别执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可联系供应商获得补丁信息： https://www.pelco.com/search?documentUUID=478b93c1-d908-4438-867f-7bcf849b28a8&title=VideoXpert Core Software v2.1

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02

Impacted products

Name
Schneider Electric Pelco VideoXpert Enterprise <2.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9966"
    }
  },
  "description": "Pelco VideoXpert Enterprise\u662f\u4e00\u6b3e\u4f01\u4e1a\u89c6\u9891\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nSchneider Electric Pelco VideoXpert Enterprise\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u66ff\u6362\u67d0\u4e9b\u6587\u4ef6\uff0c\u53ef\u83b7\u5f97\u7cfb\u7edf\u6743\u9650\uff0c\u63d2\u5165\u7684\u4ee3\u7801\u5c06\u4ee5\u63d0\u5347\u7684\u6743\u9650\u7ea7\u522b\u6267\u884c\u3002",
  "discovererName": "Gjoko Krstic",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a \r\nhttps://www.pelco.com/search?documentUUID=478b93c1-d908-4438-867f-7bcf849b28a8\u0026title=VideoXpert Core Software v2.1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-38303",
  "openTime": "2017-12-28",
  "patchDescription": "Pelco VideoXpert Enterprise\u662f\u4e00\u6b3e\u4f01\u4e1a\u89c6\u9891\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nSchneider Electric Pelco VideoXpert Enterprise\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u66ff\u6362\u67d0\u4e9b\u6587\u4ef6\uff0c\u53ef\u83b7\u5f97\u7cfb\u7edf\u6743\u9650\uff0c\u63d2\u5165\u7684\u4ee3\u7801\u5c06\u4ee5\u63d0\u5347\u7684\u6743\u9650\u7ea7\u522b\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Schneider Electric Pelco VideoXpert Enterprise\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Schneider Electric Pelco VideoXpert Enterprise \u003c2.1"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02",
  "serverity": "\u9ad8",
  "submitTime": "2017-12-28",
  "title": "Schneider Electric Pelco VideoXpert Enterprise\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2017-9966 (GCVE-0-2017-9966)

Vulnerability from cvelistv5 – Published: 2018-01-02 03:00 – Updated: 2024-09-16 22:55

Summary

A privilege escalation vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level.

Severity ?

No CVSS data available.

CWE

Privilege Escalation

Assigner

schneider

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02	x_refsource_MISC
	https://www.schneider-electric.com/en/download/do…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102338	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Schneider Electric SE	Pelco VideoXpert Enterprise	Affected: Versions 2.0 and prior

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:24:59.978Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/"
          },
          {
            "name": "102338",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102338"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pelco VideoXpert Enterprise",
          "vendor": "Schneider Electric SE",
          "versions": [
            {
              "status": "affected",
              "version": "Versions 2.0 and prior"
            }
          ]
        }
      ],
      "datePublic": "2018-02-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A privilege escalation vulnerability exists in Schneider Electric\u0027s Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege Escalation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-02-12T22:57:01",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/"
        },
        {
          "name": "102338",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102338"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "DATE_PUBLIC": "2018-02-12T00:00:00",
          "ID": "CVE-2017-9966",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pelco VideoXpert Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions 2.0 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Schneider Electric SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A privilege escalation vulnerability exists in Schneider Electric\u0027s Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Privilege Escalation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02"
            },
            {
              "name": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/",
              "refsource": "CONFIRM",
              "url": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/"
            },
            {
              "name": "102338",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102338"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2017-9966",
    "datePublished": "2018-01-02T03:00:00Z",
    "dateReserved": "2017-06-26T00:00:00",
    "dateUpdated": "2024-09-16T22:55:48.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-38303

CVE-2017-9966 (GCVE-0-2017-9966)

Tags

Sightings

Nomenclature