CVE-2015-6839

low-risk
Published 2017-10-23

The parse function in MSA vot.Ar 3.1 does not check whether a candidate receives more than one vote, which allows physically proximate attackers to cast multiple votes for a candidate via a crafted RFID ballot tag.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.6/10 Medium
PHYSICAL / LOW complexity

Affected Products (1)

Vot.Ar

Affected Vendors

Grupo Msa

References (8)

Issue Tracking https://docs.google.com/document/d/13t1jqu-Upj4SyjYBMj3OMshdy6rGBrnb1R3P-goz-cs/...
Issue Tracking https://docs.google.com/document/d/1aH6kvoLR8O1qWOpEz89FAB2xFcBNB-QqHgZpXxg0vGE/...
Issue Tracking https://www.eleccionesciudad.gob.ar/uploads/resoluciones/Informe_05-BALOTAJE-201...
Third Party Advisory https://www.youtube.com/watch?v=CTOCspLn6Zk
Issue Tracking https://docs.google.com/document/d/13t1jqu-Upj4SyjYBMj3OMshdy6rGBrnb1R3P-goz-cs/...
Issue Tracking https://docs.google.com/document/d/1aH6kvoLR8O1qWOpEz89FAB2xFcBNB-QqHgZpXxg0vGE/...
Issue Tracking https://www.eleccionesciudad.gob.ar/uploads/resoluciones/Informe_05-BALOTAJE-201...
Third Party Advisory https://www.youtube.com/watch?v=CTOCspLn6Zk
21
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal