CVE-2020-16839

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://support.crestron.com	Vendor Advisory
https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802	Permissions Required
https://www.security.crestron.com	Broken Link
https://www.crestron.com/Security/Security-at-Crestron	Vendor Advisory
https://support.crestron.com	Vendor Advisory
https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802	Permissions Required
https://www.security.crestron.com	Broken Link

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:crestron:dm-nvx-dir-80_firmware:1.0.1.788:*:*:*:*:*:*:*

cpe:2.3:h:crestron:dm-nvx-dir-80:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:crestron:dm-nvx-dir-160_firmware:1.0.1.788:*:*:*:*:*:*:*

cpe:2.3:h:crestron:dm-nvx-dir-160:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:crestron:dm-nvx-dir-ent_firmware:1.0.1.788:*:*:*:*:*:*:*

cpe:2.3:h:crestron:dm-nvx-dir-ent:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:07

Type	Values Removed	Values Added
References	~~() https://support.crestron.com - Vendor Advisory~~	() https://support.crestron.com - Vendor Advisory
References	~~() https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802 - Permissions Required~~	() https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802 - Permissions Required
References	~~() https://www.security.crestron.com - Broken Link~~	() https://www.security.crestron.com - Broken Link

12 Jul 2022, 17:42

Type	Values Removed	Values Added
CWE	~~CWE-522~~	CWE-287

10 Feb 2022, 17:06

Type	Values Removed	Values Added
CPE	cpe:2.3:h:creston:dm-nvx-dir160:::::::: cpe:2.3:h:creston:dm-nvx-dir-ent:::::::: cpe:2.3:h:creston:dm-nvx-dir80::::::::	cpe:2.3:h:crestron:dm-nvx-dir-ent:-:::::::* cpe:2.3:h:crestron:dm-nvx-dir-160:-:::::::* cpe:2.3:h:crestron:dm-nvx-dir-80:-:::::::*

10 Feb 2022, 16:06

Type	Values Removed	Values Added
CPE	cpe:2.3:o:creston:dm-nvx-dir160_firmware:1.0.1.788:::::::* cpe:2.3:o:creston:dm-nvx-dir-ent_firmware:1.0.1.788:::::::* cpe:2.3:o:creston:dm-nvx-dir80_firmware:1.0.1.788:::::::*	cpe:2.3:o:crestron:dm-nvx-dir-80_firmware:1.0.1.788:::::::* cpe:2.3:o:crestron:dm-nvx-dir-ent_firmware:1.0.1.788:::::::* cpe:2.3:o:crestron:dm-nvx-dir-160_firmware:1.0.1.788:::::::*

11 Aug 2021, 15:16

Type	Values Removed	Values Added
CPE		cpe:2.3:h:creston:dm-nvx-dir-ent:::::::: cpe:2.3:h:creston:dm-nvx-dir80:::::::: cpe:2.3:h:creston:dm-nvx-dir160:::::::: cpe:2.3:o:creston:dm-nvx-dir-ent_firmware:1.0.1.788:::::::* cpe:2.3:o:creston:dm-nvx-dir80_firmware:1.0.1.788:::::::* cpe:2.3:o:creston:dm-nvx-dir160_firmware:1.0.1.788:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 7.5
CWE		CWE-522
References		(MISC) https://www.crestron.com/Security/Security-at-Crestron - Vendor Advisory
References	~~(MISC) https://support.crestron.com -~~	(MISC) https://support.crestron.com - Vendor Advisory
References	~~(CONFIRM) https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802 -~~	(CONFIRM) https://www.crestron.com/Software-Firmware/Firmware/DigitalMedia/DM-XIO/1-0-3-802 - Permissions Required
References	~~(CONFIRM) https://www.security.crestron.com -~~	(CONFIRM) https://www.security.crestron.com - Broken Link

30 Jul 2021, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-07-30 14:15

Updated : 2024-11-21 05:07

NVD link : CVE-2020-16839

Mitre link : CVE-2020-16839

CVE.ORG link : CVE-2020-16839

JSON object : View

Products Affected

crestron

dm-nvx-dir-160_firmware
dm-nvx-dir-ent
dm-nvx-dir-80
dm-nvx-dir-80_firmware
dm-nvx-dir-ent_firmware
dm-nvx-dir-160

CWE

CWE-287

Improper Authentication

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-16839

7.5^/10

5.0^/10

Attach tags to `CVE-2020-16839`