CVE-2019-19613

An issue was discovered in Halvotec RaQuest 10.23.10801.0. The login page of the admin application is vulnerable to an Open Redirect attack allowing an attacker to redirect a user to a malicious site after authentication. The attacker needs to be on the same network to modify the victim's request on the wire. Fixed in Release 24.2020.20608.0

CVSS v3 5.2 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 5.5 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://excellium-services.com/cert-xlm-advisory/	Third Party Advisory
https://excellium-services.com/cert-xlm-advisory/cve-2019-19613/	Third Party Advisory
https://halvotec.de/produkte/raquest/	Product Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:halvotec:raquest:10.23.10801.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-16 21:15

Updated : 2024-02-04 21:00

NVD link : CVE-2019-19613

Mitre link : CVE-2019-19613

CVE.ORG link : CVE-2019-19613

JSON object : View

Products Affected

halvotec

raquest

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2019-19613", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 5.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.1}]}, "published": "2020-03-16T21:15:12.267", "references": [{"url": "https://excellium-services.com/cert-xlm-advisory/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://excellium-services.com/cert-xlm-advisory/cve-2019-19613/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://halvotec.de/produkte/raquest/", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Halvotec RaQuest 10.23.10801.0. The login page of the admin application is vulnerable to an Open Redirect attack allowing an attacker to redirect a user to a malicious site after authentication. The attacker needs to be on the same network to modify the victim's request on the wire. Fixed in Release 24.2020.20608.0"}, {"lang": "es", "value": "Se detect\u00f3 un problema en Halvotec RaQuest versi\u00f3n 10.23.10801.0. La p\u00e1gina de inicio de sesi\u00f3n de la aplicaci\u00f3n de administraci\u00f3n es vulnerable a un ataque de Redireccionamiento Abierto que permite a un atacante redirigir a un usuario a un sitio malicioso despu\u00e9s de la autenticaci\u00f3n. El atacante necesita estar en la misma red para modificar la solicitud de la v\u00edctima en el cable. Corregido en la versi\u00f3n 24.2020.20608.0"}], "lastModified": "2020-06-25T21:15:09.903", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:halvotec:raquest:10.23.10801.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96831FD3-6154-49F9-AD61-92F1061C16A7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}