CVE-2019-13529

{"id": "CVE-2019-13529", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-10-09T16:15:14.310", "references": [{"url": "http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html", "tags": ["Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.us-cert.gov/ics/advisories/icsa-19-281-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation."}, {"lang": "es", "value": "Un atacante podr\u00eda enviar un enlace malicioso a un operador autenticado, lo que puede permitir a atacantes remotos realizar acciones con los permisos del usuario en Sunny WebBox versi\u00f3n de firmware 1.6 y anteriores. Este dispositivo utiliza direcciones IP para mantener la comunicaci\u00f3n despu\u00e9s de un inicio de sesi\u00f3n con \u00e9xito, lo que incrementar\u00eda la facilidad de explotaci\u00f3n."}], "lastModified": "2019-10-15T16:54:29.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sma:sunny_webbox_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03ADE62A-867D-4F4D-BA85-B0C1B8D9C0A2", "versionEndIncluding": "1.6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:sma:sunny_webbox:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "640FCE11-8A7C-4582-BEF5-42C4F3B8DEDA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}