CVE-2017-5142 - Vulnerability Details - OpenCVE

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Improper Privilege Management.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00332.

Key SSVC decision points have not yet been added.

Vendors	Products
Honeywell	Xl Web Ii Controller

Configuration 1 [-]

AND

OR	cpe:2.3:o:honeywell:xl_web_ii_controller:xlwebexe-1-02-08:::::::*
	cpe:2.3:o:honeywell:xl_web_ii_controller:xlwebexe-2-01-00:::::::*

cpe:2.3:h:honeywell:xl_web_ii_controller:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2017-14251	An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Improper Privilege Management.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/95971
https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2017-02-13T21:00:00

Updated: 2024-08-05T14:55:35.162Z

Reserved: 2017-01-03T00:00:00

Link: CVE-2017-5142

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-02-13T21:59:02.457

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-5142

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Honeywell XL Web II Controller", "vendor": "n/a", "versions": [{"status": "affected", "version": "Honeywell XL Web II Controller"}]}], "datePublic": "2017-02-13T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Improper Privilege Management."}], "problemTypes": [{"descriptions": [{"description": "Honeywell XL Web II Controller Improper Privilege Management", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-14T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "95971", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95971"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-5142", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Honeywell XL Web II Controller", "version": {"version_data": [{"version_value": "Honeywell XL Web II Controller"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Improper Privilege Management."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Honeywell XL Web II Controller Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "95971", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95971"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:55:35.162Z"}, "title": "CVE Program Container", "references": [{"name": "95971", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95971"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-5142", "datePublished": "2017-02-13T21:00:00", "dateReserved": "2017-01-03T00:00:00", "dateUpdated": "2024-08-05T14:55:35.162Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:honeywell:xl_web_ii_controller:xlwebexe-1-02-08:*:*:*:*:*:*:*", "matchCriteriaId": "6F06D365-A41E-45EE-8F93-035E1B8C2723", "vulnerable": true}, {"criteria": "cpe:2.3:o:honeywell:xl_web_ii_controller:xlwebexe-2-01-00:*:*:*:*:*:*:*", "matchCriteriaId": "3B7544CA-319B-40A2-AD75-FF0159DF0DAA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:xl_web_ii_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "C7B6E447-DF91-45ED-86FD-921C6A4FCD21", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Improper Privilege Management."}, {"lang": "es", "value": "Ha sido descubierto un problema en el controlador XL1000C500 XLWebExe-2-01-00 de XLWebExe-2 y anteriores y XLWebExe-1-02-08 y anteriores de XLWebExe-1-02-08 de Honeywell XL Web. Un usuario con privilegios bajos puede abrir y cambiar los par\u00e1metros accediendo a una URL espec\u00edfica debido a una gesti\u00f3n de privilegios incorrecta."}], "id": "CVE-2017-5142", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-13T21:59:02.457", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95971"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}