CVE-2018-13810 - OpenCVE

A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Cp 1604 Cp 1604 Firmware Cp 1616 Cp 1616 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:siemens:cp_1604_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:cp_1604:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:siemens:cp_1616:-:*:*:*:*:*:*:*

cpe:2.3:o:siemens:cp_1616_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2019-04-17T13:38:34

Updated: 2024-08-05T09:14:47.298Z

Reserved: 2018-07-10T00:00:00

Link: CVE-2018-13810

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-17T14:29:03.230

Modified: 2019-07-11T22:15:10.873

Link: CVE-2018-13810

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CP 1604", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}, {"product": "CP 1616", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-11T21:17:46", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2018-13810", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CP 1604", "version": {"version_data": [{"version_value": "All versions"}]}}, {"product_name": "CP 1616", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "Siemens"}]}}, "cve_id": "CVE-2018-13810", "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:14:47.298Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2018-13810", "datePublished": "2019-04-17T13:38:34", "dateReserved": "2018-07-10T00:00:00", "dateUpdated": "2024-08-05T09:14:47.298Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:cp_1604_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DC92E3A-CA37-4D08-A0EB-71DBB4C5395A", "versionEndIncluding": "2.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:cp_1604:-:*:*:*:*:*:*:*", "matchCriteriaId": "6148BD0D-5BD1-4182-8202-EBDB56B0D146", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:cp_1616:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D7CC79A-1446-415F-8BFF-71C82C9256BB", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:cp_1616_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D5FEC73-E96E-4945-8C0B-4A7B5B236ABD", "versionEndIncluding": "2.8", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CP 1604 (All versions), CP 1616 (All versions). The integrated configuration web server of the affected CP devices could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. At the time of advisory publication no public exploitation of this vulnerability was known."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en CP 1604 (todas las versiones), CP 1616 (todas las versiones). La configuraci\u00f3n integrada del servidor web de los dispositivos CP afectados podr\u00eda permitir un Cross-Site Request Forgery (CSRF) si un usuario confiado es enga\u00f1ado para acceder a un enlace malicioso. La explotaci\u00f3n con \u00e9xito requiere la interacci\u00f3n del usuario por parte de un usuario leg\u00edtimo. Un ataque con \u00e9xito podr\u00eda permitir a un atacante desencadenar acciones por medio de la interfaz web que el usuario leg\u00edtimo puede realizar. En el momento de la publicaci\u00f3n consultiva, no se conoc\u00eda la explotaci\u00f3n p\u00fablica de esta vulnerabilidad."}], "id": "CVE-2018-13810", "lastModified": "2019-07-11T22:15:10.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-17T14:29:03.230", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-559174.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}