CVE-2019-13379 - On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface

CVE-2019-13379

Summary

On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in.

References

Vulnerable Configurations

cpe:2.3:o:avtech:room_alert_3e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:avtech:room_alert_3e_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:avtech:room_alert_3e:-:*:*:*:*:*:*:*
cpe:2.3:h:avtech:room_alert_3e:-:*:*:*:*:*:*:*

CVSS

Base:	9.0 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:

CWE

CWE-668

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:S/C:C/I:C/A:C

refmap via4

confirm	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
misc	https://jordonlovik.wordpress.com/2019/07/06/roomalert-by-avtech-critical-vulnerability-disclosure/ https://www.youtube.com/watch?v=X1PY7kMFkVg

Last major update

24-08-2020 - 17:37

Published

07-07-2019 - 16:15

Last modified

24-08-2020 - 17:37