CVE-2019-12254
moderate-risk
Published 2022-05-06
In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
Do I need to act?
~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (5)
Smartbox 4 Lan Firmware
Smartbox 4 Lan Pro Firmware
Lx-Q-Net Firmware
Lx-Net Firmware
E-Litro Net Firmware
References (2)
Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2019-012/
Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2019-012/
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
3/34 · Minimal
Exposure
12/34 · Low