CVE-2017-9650 - OpenCVE

An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Carrier	Automatedlogic Webctrl
Automatedlogic	I-vu Sitescan Web

Configuration 1 [-]

OR	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::

References

Link	Resource
http://www.securityfocus.com/bid/100452	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01	Mitigation Third Party Advisory US Government Resource
https://www.exploit-db.com/exploits/42544/	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-08-25T19:00:00

Updated: 2017-08-26T09:57:01

Reserved: 2017-06-14T00:00:00

Link: CVE-2017-9650

JSON object: View

NVD Information

Status : Modified

Published: 2017-08-25T19:29:00.487

Modified: 2021-07-27T19:25:56.903

Link: CVE-2017-9650

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "Automated Logic Corporation WebCTRL, i-VU, SiteScan", "vendor": "n/a", "versions": [{"status": "affected", "version": "Automated Logic Corporation WebCTRL, i-VU, SiteScan"}]}], "datePublic": "2017-08-25T00:00:00", "descriptions": [{"lang": "en", "value": "An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-08-26T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "100452", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100452"}, {"name": "42544", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42544/"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-9650", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Automated Logic Corporation WebCTRL, i-VU, SiteScan", "version": {"version_data": [{"version_value": "Automated Logic Corporation WebCTRL, i-VU, SiteScan"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434"}]}]}, "references": {"reference_data": [{"name": "100452", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100452"}, {"name": "42544", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42544/"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-9650", "datePublished": "2017-08-25T19:00:00", "dateReserved": "2017-06-14T00:00:00", "dateUpdated": "2017-08-26T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "5948CDA4-5FE6-448B-9F64-D077F41DDF11", "versionEndIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "E829060A-3BA2-43ED-AAC9-E0E5008345DE", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "F476895F-3AF0-4F96-8420-E57801B03F33", "versionEndIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "865ECF73-F257-4A48-831E-4A542ADA4BD4", "versionEndIncluding": "6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F6C18E1-2165-49FE-B351-56BF2B3142A1", "versionEndIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "701AF14C-15DE-496A-8077-53D6BF3C80DC", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A35BFAD-0A53-438B-8A7A-78F92210DDE4", "versionEndIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "D602FF0F-8AFE-4815-BFA0-623DE28D26FC", "versionEndIncluding": "6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "A41C3278-DB17-488C-BFEF-AA51B8289DD0", "versionEndIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "27E012C0-3E9B-484C-A697-B39DF43F0F69", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2A6E893-4D91-4D54-A831-B47F792FC6E6", "versionEndIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "E912DDD9-081A-49A1-9CD5-9127B676A190", "versionEndIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "292B6AC3-89A7-4E81-946A-7C0FED0DF79D", "versionEndIncluding": "6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code."}, {"lang": "es", "value": "Se ha descubierto un problema de carga de archivos sin restricciones con tipos peligrosos en Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 y anteriores; ALC WebCTRL, SiteScan Web 6.1 y anteriores; ALC WebCTRL, i-Vu 6.0 y anteriores; ALC WebCTRL, i-Vu, SiteScan Web 5.5 y anteriores; y ALC WebCTRL, i-Vu, SiteScan Web 5.2 y anteriores. Un atacante autenticado podr\u00eda ser capaz de subir un archivo malicioso que permita la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2017-9650", "lastModified": "2021-07-27T19:25:56.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-25T19:29:00.487", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100452"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42544/"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}