CVE-2019-13947

low-risk

Published 2019-12-12

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The user configuration menu in the web interface of the Control Center Server (CCS) transfers user passwords in clear to the client (browser). An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other CCS users.

Do I need to act?

0.17% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Sinvr 3 Central Control Server

Sinvr 3 Video Server

Affected Vendors

Siemens

References (4)

Vendor Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf

Vendor Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low