In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
References
Link | Resource |
---|---|
https://cert.vde.com/en/advisories/VDE-2019-012/ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: CERTVDE
Published: 2019-04-06T00:00:00
Updated: 2022-05-06T17:30:11
Reserved: 2019-05-21T00:00:00
Link: CVE-2019-12254
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-05-06T18:15:08.397
Modified: 2022-05-16T18:40:00.707
Link: CVE-2019-12254
JSON object: View
Redhat Information
No data.
CWE