CVE-2018-13862

high-risk

Published 2018-07-17

Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 (FW 303) allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newValue=0" (a successful attack will allow attackers to login without authorization).

Do I need to act?

60.9% chance of exploitation in next 30 days

EPSS score — higher than 39% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

45063

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Webtouch Setup V9 Firmware

Affected Vendors

Trivum

References (6)

Vendor Advisory http://update.trivum.com/update/tp9-changes.html

Third Party Advisory https://vulncode.com/advisory/CVE-2018-13862

Exploit https://www.exploit-db.com/exploits/45063/

Vendor Advisory http://update.trivum.com/update/tp9-changes.html

Third Party Advisory https://vulncode.com/advisory/CVE-2018-13862

Exploit https://www.exploit-db.com/exploits/45063/

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal