CVE-2017-14943 - OpenCVE

Trapeze TransitMaster is vulnerable to information disclosure (emails / hashed passwords) via a modified userID field in JSON data to ManageSubscriber.aspx/GetSubscriber. NOTE: this software is independently deployed at multiple municipal transit systems; it is not found exclusively on the "webwatch.(REDACTED).com" server mentioned in the reference.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Trapezegroup	Transitmaster

Configuration 1 [-]

cpe:2.3:a:trapezegroup:transitmaster:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%20%3E%20Information%20Disclosure%20-%20CVE-2017-14943

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-10T06:00:00

Updated: 2024-08-05T19:42:22.206Z

Reserved: 2017-09-29T00:00:00

Link: CVE-2017-14943

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-10-10T06:29:00.240

Modified: 2017-11-05T22:55:48.297

Link: CVE-2017-14943

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-10T00:00:00", "descriptions": [{"lang": "en", "value": "Trapeze TransitMaster is vulnerable to information disclosure (emails / hashed passwords) via a modified userID field in JSON data to ManageSubscriber.aspx/GetSubscriber. NOTE: this software is independently deployed at multiple municipal transit systems; it is not found exclusively on the \"webwatch.(REDACTED).com\" server mentioned in the reference."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-10T05:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%20%3E%20Information%20Disclosure%20-%20CVE-2017-14943"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-14943", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Trapeze TransitMaster is vulnerable to information disclosure (emails / hashed passwords) via a modified userID field in JSON data to ManageSubscriber.aspx/GetSubscriber. NOTE: this software is independently deployed at multiple municipal transit systems; it is not found exclusively on the \"webwatch.(REDACTED).com\" server mentioned in the reference."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%20%3E%20Information%20Disclosure%20-%20CVE-2017-14943", "refsource": "MISC", "url": "https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%20%3E%20Information%20Disclosure%20-%20CVE-2017-14943"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:42:22.206Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%20%3E%20Information%20Disclosure%20-%20CVE-2017-14943"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-14943", "datePublished": "2017-10-10T06:00:00", "dateReserved": "2017-09-29T00:00:00", "dateUpdated": "2024-08-05T19:42:22.206Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trapezegroup:transitmaster:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF8C9B0E-9B84-4343-8EAC-36D3EA15CE56", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Trapeze TransitMaster is vulnerable to information disclosure (emails / hashed passwords) via a modified userID field in JSON data to ManageSubscriber.aspx/GetSubscriber. NOTE: this software is independently deployed at multiple municipal transit systems; it is not found exclusively on the \"webwatch.(REDACTED).com\" server mentioned in the reference."}, {"lang": "es", "value": "Trapeze TransitMaster es vulnerable a divulgaci\u00f3n de informaci\u00f3n (emails/contrase\u00f1as con hash) mediante un campo userID modificado en datos JSON en ManageSubscriber.aspx/GetSubscriber. NOTA: este software se despliega de manera independiente en m\u00faltiples sistemas de tr\u00e1nsito municipales, no se encuentra exclusivamente en el servidor \"webwatch.(REDACTED).com\" mencionado en la referencia."}], "id": "CVE-2017-14943", "lastModified": "2017-11-05T22:55:48.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-10T06:29:00.240", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%20%3E%20Information%20Disclosure%20-%20CVE-2017-14943"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}