CVE-2017-9966 - OpenCVE

A privilege escalation vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:H/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Pelco Videoxpert

Configuration 1 [-]

cpe:2.3:a:schneider-electric:pelco_videoxpert:*:*:*:*:enterprise:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/102338	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02	Patch Third Party Advisory US Government Resource
https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2018-02-12T00:00:00

Updated: 2018-02-12T22:57:01

Reserved: 2017-06-26T00:00:00

Link: CVE-2017-9966

JSON object: View

NVD Information

Status : Modified

Published: 2018-01-02T03:29:00.330

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-9966

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Pelco VideoXpert Enterprise", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "Versions 2.0 and prior"}]}], "datePublic": "2018-02-12T00:00:00", "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level."}], "problemTypes": [{"descriptions": [{"description": "Privilege Escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-12T22:57:01", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/"}, {"name": "102338", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102338"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "DATE_PUBLIC": "2018-02-12T00:00:00", "ID": "CVE-2017-9966", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pelco VideoXpert Enterprise", "version": {"version_data": [{"version_value": "Versions 2.0 and prior"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A privilege escalation vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Privilege Escalation"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02"}, {"name": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/", "refsource": "CONFIRM", "url": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/"}, {"name": "102338", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102338"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2017-9966", "datePublished": "2018-02-12T00:00:00", "dateReserved": "2017-06-26T00:00:00", "dateUpdated": "2018-02-12T22:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:pelco_videoxpert:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "81B30BAF-370B-44F2-AB13-FFDFBB6F32F0", "versionEndExcluding": "2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists in Schneider Electric's Pelco VideoXpert Enterprise versions 2.0 and prior. By replacing certain files, an unauthorized user can obtain system privileges and the inserted code would execute at an elevated privilege level."}, {"lang": "es", "value": "Existe una vulnerabilidad de escalado de privilegios en Schneider Electric's Pelco VideoXpert Enterprise, en versiones 2.0 y anteriores. Al reemplazar ciertos archivos, un usuario no autorizado podr\u00eda obtener privilegios del sistema; por lo tanto, el c\u00f3digo insertado se ejecutar\u00eda a un nivel de privilegios elevado."}], "id": "CVE-2017-9966", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.1, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-02T03:29:00.330", "references": [{"source": "cybersecurity@se.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102338"}, {"source": "cybersecurity@se.com", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02"}, {"source": "cybersecurity@se.com", "url": "https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}