CVE-2019-7666

moderate-risk
Published 2019-07-01

Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an attacker with access to the database to login as admin without decrypting the password.

Do I need to act?

!
20.1% chance of exploitation in next 30 days
EPSS score — higher than 80% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
47644
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Primasystems

References (8)

Exploit http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-...
Third Party Advisory https://applied-risk.com/labs/advisories
Third Party Advisory https://www.applied-risk.com/resources/ar-2019-007
Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-19-211-02
Exploit http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-...
Third Party Advisory https://applied-risk.com/labs/advisories
Third Party Advisory https://www.applied-risk.com/resources/ar-2019-007
Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-19-211-02
49
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal