CVE-2009-0194 - Vulnerability Details - OpenCVE

The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a "synchronisation error."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.01417.

Key SSVC decision points have not yet been added.

Vendors	Products
Garmin	Garmin Communicator Plugin

Configuration 1 [-]

cpe:2.3:a:garmin:garmin_communicator_plugin:2.6.4.0:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2009-0203	The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a "synchronisation error."

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://osvdb.org/54258
http://secunia.com/advisories/34326
http://secunia.com/secunia_research/2009-16/
http://securitytracker.com/id?1022173
http://www.securityfocus.com/archive/1/503319/100/0/threaded
http://www.securityfocus.com/bid/34858
https://exchange.xforce.ibmcloud.com/vulnerabilities/50360

History

No history.

MITRE

Status: PUBLISHED

Assigner: flexera

Published: 2009-05-11T15:19:00

Updated: 2024-08-07T04:24:18.271Z

Reserved: 2009-01-20T00:00:00

Link: CVE-2009-0194

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-05-11T15:30:00.313

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-0194

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-05-07T00:00:00", "descriptions": [{"lang": "en", "value": "The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a \"synchronisation error.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab", "shortName": "flexera"}, "references": [{"name": "communicator-domain-security-bypass(50360)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50360"}, {"tags": ["x_refsource_MISC"], "url": "http://secunia.com/secunia_research/2009-16/"}, {"name": "1022173", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1022173"}, {"name": "20090507 Secunia Research: Garmin Communicator Plug-In Domain Locking Security Bypass", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/503319/100/0/threaded"}, {"name": "34858", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34858"}, {"name": "54258", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/54258"}, {"name": "34326", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34326"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "PSIRT-CNA@flexerasoftware.com", "ID": "CVE-2009-0194", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a \"synchronisation error.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "communicator-domain-security-bypass(50360)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50360"}, {"name": "http://secunia.com/secunia_research/2009-16/", "refsource": "MISC", "url": "http://secunia.com/secunia_research/2009-16/"}, {"name": "1022173", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1022173"}, {"name": "20090507 Secunia Research: Garmin Communicator Plug-In Domain Locking Security Bypass", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/503319/100/0/threaded"}, {"name": "34858", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34858"}, {"name": "54258", "refsource": "OSVDB", "url": "http://osvdb.org/54258"}, {"name": "34326", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34326"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:24:18.271Z"}, "title": "CVE Program Container", "references": [{"name": "communicator-domain-security-bypass(50360)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50360"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://secunia.com/secunia_research/2009-16/"}, {"name": "1022173", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1022173"}, {"name": "20090507 Secunia Research: Garmin Communicator Plug-In Domain Locking Security Bypass", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/503319/100/0/threaded"}, {"name": "34858", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/34858"}, {"name": "54258", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/54258"}, {"name": "34326", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34326"}]}]}, "cveMetadata": {"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab", "assignerShortName": "flexera", "cveId": "CVE-2009-0194", "datePublished": "2009-05-11T15:19:00", "dateReserved": "2009-01-20T00:00:00", "dateUpdated": "2024-08-07T04:24:18.271Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:garmin:garmin_communicator_plugin:2.6.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B771DDAB-4FD0-4BD2-9057-DD2CE1C7B580", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a \"synchronisation error.\""}, {"lang": "es", "value": "La implementaci\u00f3n del bloqueo de dominio en el control ActiveX GARMINAXCONTROL.GarminAxControl_t.1 de npGarmin.dll en Garmin Communicator Plug-In v2.6.4.0 no aplica adecuadamente las restricciones para peticiones de (1) descarga (2) subida que proceden de un sitio web especificado por el usuario, lo que permite a atacantes remotos obtener informaci\u00f3n sensible o reconfigurar los dispositivos Garmin GPS a trav\u00e9s de vectores no especificados relacionados con un \"error de sincronizaci\u00f3n\"."}], "id": "CVE-2009-0194", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-05-11T15:30:00.313", "references": [{"source": "PSIRT-CNA@flexerasoftware.com", "url": "http://osvdb.org/54258"}, {"source": "PSIRT-CNA@flexerasoftware.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34326"}, {"source": "PSIRT-CNA@flexerasoftware.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/secunia_research/2009-16/"}, {"source": "PSIRT-CNA@flexerasoftware.com", "url": "http://securitytracker.com/id?1022173"}, {"source": "PSIRT-CNA@flexerasoftware.com", "url": "http://www.securityfocus.com/archive/1/503319/100/0/threaded"}, {"source": "PSIRT-CNA@flexerasoftware.com", "url": "http://www.securityfocus.com/bid/34858"}, {"source": "PSIRT-CNA@flexerasoftware.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50360"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/54258"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/secunia_research/2009-16/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1022173"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/503319/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/34858"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50360"}], "sourceIdentifier": "PSIRT-CNA@flexerasoftware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}