CVE-2019-7387 - OpenCVE

A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Systrome	Isg-600c Isg-600c Firmware Isg-600h Isg-600h Firmware Isg-800w Isg-800w Firmware

Configuration 1 [-]

AND

cpe:2.3:o:systrome:isg-600c_firmware:1.1-r2.1_trunk-20180914:*:*:*:*:*:*:*

cpe:2.3:h:systrome:isg-600c:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:systrome:isg-600h_firmware:1.1-r2.1_trunk-20180914:*:*:*:*:*:*:*

cpe:2.3:h:systrome:isg-600h:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:systrome:isg-800w_firmware:1.1-r2.1_trunk-20180914:*:*:*:*:*:*:*

cpe:2.3:h:systrome:isg-800w:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://s3curityb3ast.github.io/KSA-Dev-004.md
https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-02-04T22:00:00

Updated: 2024-08-04T20:46:46.248Z

Reserved: 2019-02-04T00:00:00

Link: CVE-2019-7387

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-02-04T22:29:00.393

Modified: 2019-05-08T21:29:08.477

Link: CVE-2019-7387

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-02-04T00:00:00", "descriptions": [{"lang": "en", "value": "A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-08T20:25:51", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://s3curityb3ast.github.io/KSA-Dev-004.md"}, {"tags": ["x_refsource_MISC"], "url": "https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-7387", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://s3curityb3ast.github.io/KSA-Dev-004.md", "refsource": "MISC", "url": "https://s3curityb3ast.github.io/KSA-Dev-004.md"}, {"name": "https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html", "refsource": "MISC", "url": "https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:46:46.248Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://s3curityb3ast.github.io/KSA-Dev-004.md"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-7387", "datePublished": "2019-02-04T22:00:00", "dateReserved": "2019-02-04T00:00:00", "dateUpdated": "2024-08-04T20:46:46.248Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:systrome:isg-600c_firmware:1.1-r2.1_trunk-20180914:*:*:*:*:*:*:*", "matchCriteriaId": "6A432A82-F0B8-4FA6-AF37-52223EABF84D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:systrome:isg-600c:-:*:*:*:*:*:*:*", "matchCriteriaId": "243A6566-F147-4570-8202-83EEED89E979", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:systrome:isg-600h_firmware:1.1-r2.1_trunk-20180914:*:*:*:*:*:*:*", "matchCriteriaId": "BC395883-1101-4835-83B5-B898BD5F7EC1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:systrome:isg-600h:-:*:*:*:*:*:*:*", "matchCriteriaId": "0028BB03-5133-438F-965D-D340ECC140A7", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:systrome:isg-800w_firmware:1.1-r2.1_trunk-20180914:*:*:*:*:*:*:*", "matchCriteriaId": "EFB2602D-0D41-49B2-92C1-FDC8D90DBC48", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:systrome:isg-800w:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FFDBA22-57B3-492A-9813-0C8591844C68", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter."}, {"lang": "es", "value": "Existe una vulnerabilidad de inclusi\u00f3n de archivos locales en la interfaz web de los dispositivos Systrome Cumilon ISG-600C, ISG-600H y ISG-800W 1.1-R2.1_TRUNK-20180914.bin. Cuando se llama a la funci\u00f3n export desde system/maintenance/export.php, acepta la ruta proporcionada por el usuario, lo que conduce a un salto de directorio mediante el par\u00e1metro name."}], "id": "CVE-2019-7387", "lastModified": "2019-05-08T21:29:08.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-04T22:29:00.393", "references": [{"source": "cve@mitre.org", "url": "https://s3curityb3ast.github.io/KSA-Dev-004.md"}, {"source": "cve@mitre.org", "url": "https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}