In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://cert.vde.com/en/advisories/VDE-2019-012/ |
History
No history.
MITRE
Status: PUBLISHED
Assigner: CERTVDE
Published: 2022-05-06T17:30:12.071700Z
Updated: 2024-09-16T20:22:12.620Z
Reserved: 2019-05-21T00:00:00
Link: CVE-2019-12254
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-05-06T18:15:08.397
Modified: 2024-11-21T04:22:29.477
Link: CVE-2019-12254
Redhat
No data.