An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2019/Feb/48 | Mailing List Third Party Advisory |
https://zxsecurity.co.nz/research.html | Not Applicable |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-03-17T20:51:20
Updated: 2019-03-17T20:51:20
Reserved: 2018-12-19T00:00:00
Link: CVE-2018-20220
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-03-21T16:00:35.407
Modified: 2020-08-24T17:37:01.140
Link: CVE-2018-20220
JSON object: View
Redhat Information
No data.
CWE