CVE-2016-2296

high-risk

Published 2016-05-14

Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.

Do I need to act?

75.3% chance of exploitation in next 30 days

EPSS score — higher than 25% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

39822

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.4/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Web\'Log Light

Web\'Log Pro

Web\'Log Pro Unlimited

Web\'Log Basic 100

Affected Vendors

Meteocontrol

References (6)

http://seclists.org/fulldisclosure/2016/May/52

Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01

https://www.exploit-db.com/exploits/39822/

http://seclists.org/fulldisclosure/2016/May/52

Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01

https://www.exploit-db.com/exploits/39822/

/ 100

high-risk

Severity 31/34 · Critical

Exploitability 20/34 · Moderate

Exposure 10/34 · Low