VAR-201710-0803
Vulnerability from variot - Updated: 2023-12-18 12:03A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user. ProMinent MultiFLEX M10a Controller of Web The interface contains vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities: 1. Multiple security-bypass vulnerabilities 2. An information-disclosure vulnerability 3. A cross-site request-forgery vulnerability Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201710-0803",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "multiflex m10a controller",
"scope": null,
"trust": 2.0,
"vendor": "prominent",
"version": null
},
{
"model": "multiflex m10a controller",
"scope": "eq",
"trust": 1.0,
"vendor": "prominent",
"version": "*"
},
{
"model": "multiflex m10a controller",
"scope": "eq",
"trust": 0.3,
"vendor": "prominent",
"version": "0"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "multiflex m10a controller",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:prominent:multiflex_m10a_controller_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:prominent:multiflex_m10a_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14013"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Maxim Rupp",
"sources": [
{
"db": "BID",
"id": "101259"
}
],
"trust": 0.3
},
"cve": "CVE-2017-14013",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-14013",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "CNVD-2017-30002",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"id": "e8e83259-efec-400e-a94f-f37c692d2458",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-104693",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.2,
"impactScore": 3.4,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "Low",
"baseScore": 5.6,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2017-14013",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-14013",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2017-30002",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201710-579",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-104693",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "VULHUB",
"id": "VHN-104693"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user\u0027s session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user. ProMinent MultiFLEX M10a Controller of Web The interface contains vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities:\n1. Multiple security-bypass vulnerabilities\n2. An information-disclosure vulnerability\n3. A cross-site request-forgery vulnerability\nExploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "VULHUB",
"id": "VHN-104693"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-14013",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-17-285-01",
"trust": 3.4
},
{
"db": "BID",
"id": "101259",
"trust": 2.0
},
{
"db": "CNNVD",
"id": "CNNVD-201710-579",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2017-30002",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519",
"trust": 0.8
},
{
"db": "IVD",
"id": "E8E83259-EFEC-400E-A94F-F37C692D2458",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-104693",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "VULHUB",
"id": "VHN-104693"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"id": "VAR-201710-0803",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "VULHUB",
"id": "VHN-104693"
}
],
"trust": 1.5190476400000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
}
]
},
"last_update_date": "2023-12-18T12:03:12.901000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.prominent.com/en/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-669",
"trust": 1.1
},
{
"problemtype": "CWE-264",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-104693"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "NVD",
"id": "CVE-2017-14013"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-17-285-01"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/101259"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14013"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14013"
},
{
"trust": 0.3,
"url": "https://www.prominent.us/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "VULHUB",
"id": "VHN-104693"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"db": "VULHUB",
"id": "VHN-104693"
},
{
"db": "BID",
"id": "101259"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-13T00:00:00",
"db": "IVD",
"id": "e8e83259-efec-400e-a94f-f37c692d2458"
},
{
"date": "2017-10-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"date": "2017-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-104693"
},
{
"date": "2017-10-13T00:00:00",
"db": "BID",
"id": "101259"
},
{
"date": "2017-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"date": "2017-10-17T22:29:00.400000",
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"date": "2017-10-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-30002"
},
{
"date": "2019-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-104693"
},
{
"date": "2017-10-13T00:00:00",
"db": "BID",
"id": "101259"
},
{
"date": "2017-11-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-009519"
},
{
"date": "2019-10-09T23:23:43.937000",
"db": "NVD",
"id": "CVE-2017-14013"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ProMinent MultiFLEX M10a Controller of Web Vulnerabilities related to authorization, authority, and access control in the interface",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-009519"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201710-579"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…