CVE-2017-14007

low-risk
Published 2017-10-17

An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.6/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Multiflex M10A Controller Firmware

Affected Vendors

Prominent

References (4)

Third Party Advisory http://www.securityfocus.com/bid/101259
Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01
Third Party Advisory http://www.securityfocus.com/bid/101259
Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal