VAR-201710-0800
Vulnerability from variot - Updated: 2023-12-18 12:03An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities: 1. Multiple security-bypass vulnerabilities 2. An information-disclosure vulnerability 3. A cross-site request-forgery vulnerability Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201710-0800",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "multiflex m10a controller",
"scope": null,
"trust": 2.0,
"vendor": "prominent",
"version": null
},
{
"model": "multiflex m10a controller",
"scope": "eq",
"trust": 1.0,
"vendor": "prominent",
"version": "*"
},
{
"model": "multiflex m10a controller",
"scope": "eq",
"trust": 0.3,
"vendor": "prominent",
"version": "0"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "multiflex m10a controller",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:prominent:multiflex_m10a_controller_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:prominent:multiflex_m10a_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14007"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Maxim Rupp",
"sources": [
{
"db": "BID",
"id": "101259"
}
],
"trust": 0.3
},
"cve": "CVE-2017-14007",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-14007",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "CNVD-2017-30001",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "c30a1374-64fc-4167-a144-913e662fe05a",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-104686",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.2,
"impactScore": 3.4,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "Low",
"baseScore": 5.6,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2017-14007",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-14007",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2017-30001",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201710-582",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-104686",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2017-14007",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "VULHUB",
"id": "VHN-104686"
},
{
"db": "VULMON",
"id": "CVE-2017-14007"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user\u0027s session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities:\n1. Multiple security-bypass vulnerabilities\n2. An information-disclosure vulnerability\n3. A cross-site request-forgery vulnerability\nExploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "VULHUB",
"id": "VHN-104686"
},
{
"db": "VULMON",
"id": "CVE-2017-14007"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-14007",
"trust": 3.7
},
{
"db": "ICS CERT",
"id": "ICSA-17-285-01",
"trust": 3.5
},
{
"db": "BID",
"id": "101259",
"trust": 2.1
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2017-30001",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516",
"trust": 0.8
},
{
"db": "IVD",
"id": "C30A1374-64FC-4167-A144-913E662FE05A",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-104686",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2017-14007",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "VULHUB",
"id": "VHN-104686"
},
{
"db": "VULMON",
"id": "CVE-2017-14007"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"id": "VAR-201710-0800",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "VULHUB",
"id": "VHN-104686"
}
],
"trust": 1.5190476400000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
}
]
},
"last_update_date": "2023-12-18T12:03:12.937000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.prominent.com/en/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-613",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-104686"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "NVD",
"id": "CVE-2017-14007"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.5,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-17-285-01"
},
{
"trust": 1.9,
"url": "http://www.securityfocus.com/bid/101259"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14007"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14007"
},
{
"trust": 0.3,
"url": "https://www.prominent.us/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/613.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "VULHUB",
"id": "VHN-104686"
},
{
"db": "VULMON",
"id": "CVE-2017-14007"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"db": "VULHUB",
"id": "VHN-104686"
},
{
"db": "VULMON",
"id": "CVE-2017-14007"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-13T00:00:00",
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"date": "2017-10-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"date": "2017-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-104686"
},
{
"date": "2017-10-17T00:00:00",
"db": "VULMON",
"id": "CVE-2017-14007"
},
{
"date": "2017-10-13T00:00:00",
"db": "BID",
"id": "101259"
},
{
"date": "2017-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"date": "2017-10-17T22:29:00.293000",
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"date": "2017-10-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-30001"
},
{
"date": "2019-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-104686"
},
{
"date": "2019-09-10T00:00:00",
"db": "VULMON",
"id": "CVE-2017-14007"
},
{
"date": "2017-10-13T00:00:00",
"db": "BID",
"id": "101259"
},
{
"date": "2017-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009516"
},
{
"date": "2019-10-09T23:23:43.157000",
"db": "NVD",
"id": "CVE-2017-14007"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ProMinent MultiFLEX M10a Controller of Web Session expiration vulnerability in the interface",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009516"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Code problem",
"sources": [
{
"db": "IVD",
"id": "c30a1374-64fc-4167-a144-913e662fe05a"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-582"
}
],
"trust": 0.8
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…