CVE-2019-7281 - OpenCVE

Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Primasystems	Flexair

Configuration 1 [-]

cpe:2.3:a:primasystems:flexair:*:*:*:*:*:*:*:*

References

Link	Resource
https://applied-risk.com/labs/advisories	Not Applicable Third Party Advisory
https://www.applied-risk.com/resources/ar-2019-007	Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-211-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-01T18:29:43

Updated: 2019-07-31T14:00:59

Reserved: 2019-01-31T00:00:00

Link: CVE-2019-7281

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-01T19:15:11.383

Modified: 2022-10-25T15:35:12.927

Link: CVE-2019-7281

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-31T14:00:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://applied-risk.com/labs/advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://www.applied-risk.com/resources/ar-2019-007"}, {"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-7281", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://applied-risk.com/labs/advisories", "refsource": "MISC", "url": "https://applied-risk.com/labs/advisories"}, {"name": "https://www.applied-risk.com/resources/ar-2019-007", "refsource": "MISC", "url": "https://www.applied-risk.com/resources/ar-2019-007"}, {"name": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-7281", "datePublished": "2019-07-01T18:29:43", "dateReserved": "2019-01-31T00:00:00", "dateUpdated": "2019-07-31T14:00:59", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:primasystems:flexair:*:*:*:*:*:*:*:*", "matchCriteriaId": "175CBF56-BD66-48B3-A3AC-25B4FCD4F601", "versionEndIncluding": "2.3.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website."}, {"lang": "es", "value": "Prima Systems FlexAir, en la versi\u00f3n 2.3.38 y anteriores. Un usuario no autenticado puede enviar solicitudes HTTP no verificadas, lo que puede permitir al atacante realizar ciertas acciones con privilegios administrativos si un usuario conectado visita un sitio web malicioso."}], "id": "CVE-2019-7281", "lastModified": "2022-10-25T15:35:12.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-01T19:15:11.383", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://applied-risk.com/labs/advisories"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.applied-risk.com/resources/ar-2019-007"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}