CVE-2017-14013

low-risk
Published 2017-10-17

A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.6/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Multiflex M10A Controller Firmware

Affected Vendors

Prominent

References (4)

Third Party Advisory http://www.securityfocus.com/bid/101259
Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01
Third Party Advisory http://www.securityfocus.com/bid/101259
Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal