The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call.
References
Link | Resource |
---|---|
https://members.backbox.org/saet-tebe-small-supervisor-multiple-vulnerabilities/ | Exploit Third Party Advisory |
https://www.saet.org/wp-content/uploads/2017/04/Depliant_TEBE-TEBE_Small.pdf | Product Vendor Advisory |
Configurations
History
No history.
Information
Published : 2019-05-31 22:29
Updated : 2024-02-04 20:20
NVD link : CVE-2019-9105
Mitre link : CVE-2019-9105
CVE.ORG link : CVE-2019-9105
JSON object : View
Products Affected
saet
- webapp
- tebe_small
- tebe_small_firmware
CWE
CWE-306
Missing Authentication for Critical Function