CVE-2019-13529 - OpenCVE

An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sma	Sunny Webbox Sunny Webbox Firmware

Configuration 1 [-]

AND

cpe:2.3:h:sma:sunny_webbox:-:*:*:*:*:*:*:*

cpe:2.3:o:sma:sunny_webbox_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html
https://www.us-cert.gov/ics/advisories/icsa-19-281-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-10-09T15:26:53

Updated: 2024-08-04T23:57:39.443Z

Reserved: 2019-07-11T00:00:00

Link: CVE-2019-13529

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-10-09T16:15:14.310

Modified: 2019-10-15T16:54:29.497

Link: CVE-2019-13529

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Sunny WebBox", "vendor": "SMA Solar Technology AG", "versions": [{"status": "affected", "version": "Firmware Version 1.6 and prior"}]}], "descriptions": [{"lang": "en", "value": "An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-10T16:06:06", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-281-01"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-13529", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Sunny WebBox", "version": {"version_data": [{"version_value": "Firmware Version 1.6 and prior"}]}}]}, "vendor_name": "SMA Solar Technology AG"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-281-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-281-01"}, {"name": "http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:57:39.443Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-281-01"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-13529", "datePublished": "2019-10-09T15:26:53", "dateReserved": "2019-07-11T00:00:00", "dateUpdated": "2024-08-04T23:57:39.443Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:sma:sunny_webbox:-:*:*:*:*:*:*:*", "matchCriteriaId": "640FCE11-8A7C-4582-BEF5-42C4F3B8DEDA", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:sma:sunny_webbox_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "03ADE62A-867D-4F4D-BA85-B0C1B8D9C0A2", "versionEndIncluding": "1.6", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation."}, {"lang": "es", "value": "Un atacante podr\u00eda enviar un enlace malicioso a un operador autenticado, lo que puede permitir a atacantes remotos realizar acciones con los permisos del usuario en Sunny WebBox versi\u00f3n de firmware 1.6 y anteriores. Este dispositivo utiliza direcciones IP para mantener la comunicaci\u00f3n despu\u00e9s de un inicio de sesi\u00f3n con \u00e9xito, lo que incrementar\u00eda la facilidad de explotaci\u00f3n."}], "id": "CVE-2019-13529", "lastModified": "2019-10-15T16:54:29.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-09T16:15:14.310", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.html"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-281-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}