CVE-2019-16261 - OpenCVE

Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:P/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tripplite	Pdumh15at Pdumh15at Firmware

Configuration 1 [-]

AND

cpe:2.3:o:tripplite:pdumh15at_firmware:12.04.0053:*:*:*:*:*:*:*

cpe:2.3:h:tripplite:pdumh15at:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-12T14:07:11

Updated: 2024-08-05T01:10:41.697Z

Reserved: 2019-09-12T00:00:00

Link: CVE-2019-16261

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-09-12T15:15:11.157

Modified: 2019-09-13T16:55:01.627

Link: CVE-2019-16261

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-12T14:07:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-16261", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits", "refsource": "MISC", "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:10:41.697Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-16261", "datePublished": "2019-09-12T14:07:11", "dateReserved": "2019-09-12T00:00:00", "dateUpdated": "2024-08-05T01:10:41.697Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tripplite:pdumh15at_firmware:12.04.0053:*:*:*:*:*:*:*", "matchCriteriaId": "C3D415AD-B58A-4B6C-A8BB-64B4AFF025CC", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tripplite:pdumh15at:-:*:*:*:*:*:*:*", "matchCriteriaId": "FBA0D9EE-D5FE-4C60-BEAE-228E34AC7FF9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053."}, {"lang": "es", "value": "Dispositivos Tripp Lite PDUMH15AT versi\u00f3n 12.04.0053, permiten peticiones POST no autenticadas en el directorio /Forms/, como es demostrado al cambiar el administrador o la contrase\u00f1a de administrador, o al apagar la alimentaci\u00f3n a una toma de corriente. NOTA: la posici\u00f3n del proveedor es que una versi\u00f3n de firmware m\u00e1s nueva, que corrige esta vulnerabilidad, ya hab\u00eda sido publicado antes de este reporte de vulnerabilidad alrededor de la versi\u00f3n 12.04.0053."}], "id": "CVE-2019-16261", "lastModified": "2019-09-13T16:55:01.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-12T15:15:11.157", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}