CVE-2013-6922 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Seagate	Blackarmor Nas 220 Blackarmor Nas 220 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:seagate:blackarmor_nas_220_firmware:sg2000-2000.1331:*:*:*:*:*:*:*

OR	cpe:2.3:h:seagate:blackarmor_nas_220:st320005lsa10g-rk:::::::*
	cpe:2.3:h:seagate:blackarmor_nas_220:st340005lsa10g-rk:::::::*
	cpe:2.3:h:seagate:blackarmor_nas_220:stav6000100:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/56047
http://www.exploit-db.com/exploits/30726

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-21T16:00:00

Updated: 2024-08-06T17:53:44.820Z

Reserved: 2013-12-03T00:00:00

Link: CVE-2013-6922

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2014-01-21T16:06:19.763

Modified: 2014-01-22T19:49:01.510

Link: CVE-2013-6922

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-10T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-21T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "56047", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56047"}, {"name": "30726", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/30726"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-6922", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "56047", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56047"}, {"name": "30726", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/30726"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T17:53:44.820Z"}, "title": "CVE Program Container", "references": [{"name": "56047", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/56047"}, {"name": "30726", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/30726"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-6922", "datePublished": "2014-01-21T16:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T17:53:44.820Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:seagate:blackarmor_nas_220_firmware:sg2000-2000.1331:*:*:*:*:*:*:*", "matchCriteriaId": "99E562A1-2345-4D30-9AE1-2CA8731F21B0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:seagate:blackarmor_nas_220:st320005lsa10g-rk:*:*:*:*:*:*:*", "matchCriteriaId": "4A12C2D2-D210-409F-9121-F5307466CD0F", "vulnerable": true}, {"criteria": "cpe:2.3:h:seagate:blackarmor_nas_220:st340005lsa10g-rk:*:*:*:*:*:*:*", "matchCriteriaId": "4BC0CC4C-D27F-4CF6-A789-8BD8020795C9", "vulnerable": true}, {"criteria": "cpe:2.3:h:seagate:blackarmor_nas_220:stav6000100:*:*:*:*:*:*:*", "matchCriteriaId": "EBB53E0C-3722-4E42-8981-B2083EFDC6BE", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes."}, {"lang": "es", "value": "Multiples vulnerabilidades cross-site request forgery (CSRF) en los dispositivos Seagate BlackArmor NAS 220 con firmware SG2000-2000.1331 que ermite a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores para las peticiones que (1) a\u00f1aden cuentas de usuario a trav\u00e9s de una solicitud manipulada a admin / access_control_user_add.php , (2) modifican (3) eliminan cuentas de usuario, (4) realizan un restablecimiento de f\u00e1brica, (5) realizan un reinicio del dispositivo, o (6) a\u00f1aden, (7) modifican, o (8) eliminan los recursos compartidos y vol\u00famenes."}], "id": "CVE-2013-6922", "lastModified": "2014-01-22T19:49:01.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-01-21T16:06:19.763", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/56047"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/30726"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}