CVE-2017-12703 - OpenCVE

A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Westermo	Mrd-315-din Mrd-355-din Firmware Mrd-355-din Mrd-455-din Mrd-455-din Firmware Mrd-315-din Firmware Mrd-305-din Mrd-305-din Firmware

Configuration 1 [-]

AND

cpe:2.3:o:westermo:mrd-305-din_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:westermo:mrd-305-din:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:westermo:mrd-315-din_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:westermo:mrd-315-din:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:westermo:mrd-355-din_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:westermo:mrd-355-din:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:westermo:mrd-455-din_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:westermo:mrd-455-din:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/100470	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-08-25T16:00:00

Updated: 2017-08-26T09:57:01

Reserved: 2017-08-09T00:00:00

Link: CVE-2017-12703

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-08-25T16:29:00.237

Modified: 2017-08-29T17:01:31.300

Link: CVE-2017-12703

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455", "vendor": "n/a", "versions": [{"status": "affected", "version": "Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455"}]}], "datePublic": "2017-08-25T00:00:00", "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server."}], "problemTypes": [{"descriptions": [{"description": "CSRF", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-26T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"}, {"name": "100470", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100470"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-12703", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455", "version": {"version_data": [{"version_value": "Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CSRF"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"}, {"name": "100470", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100470"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-12703", "datePublished": "2017-08-25T16:00:00", "dateReserved": "2017-08-09T00:00:00", "dateUpdated": "2017-08-26T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westermo:mrd-305-din_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "12D52093-D913-47EA-80F1-927355BB543F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:westermo:mrd-305-din:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9962B99-63CF-489E-95B4-A26F851F64E6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westermo:mrd-315-din_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "53BB09CA-7887-4422-BB7F-2B6FEFDD81A4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:westermo:mrd-315-din:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7E32165-E272-4ADD-B14F-585950E25A7C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westermo:mrd-355-din_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "ED01C8B2-2A75-4420-8156-F7B53C50E269", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:westermo:mrd-355-din:-:*:*:*:*:*:*:*", "matchCriteriaId": "5305D4F0-10A0-4B6A-97B2-C49EE527088E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westermo:mrd-455-din_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7777DED-BF73-4512-813E-2F858D787DB9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:westermo:mrd-455-din:-:*:*:*:*:*:*:*", "matchCriteriaId": "B043DE84-41F2-4AE2-8254-275FDED1ED77", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server."}, {"lang": "es", "value": "Se ha descubierto un problema de Cross-Site Request Forgery (CSRF) en Westermo MRD-305-DIN en versiones anteriores a la 1.7.5.0, y MRD-315, MRD-355, MRD-455 en versiones anteriores a la 1.7.5.0. La aplicaci\u00f3n no verifica si una petici\u00f3n ha sido proporcionada intencionadamente por el usuario, lo que posibilita que un atacante enga\u00f1e a un usuario para que realice una petici\u00f3n maliciosa al servidor."}], "id": "CVE-2017-12703", "lastModified": "2017-08-29T17:01:31.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-25T16:29:00.237", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100470"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}