CVE-2020-3920 - Vulnerability Details - OpenCVE

UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00252.

Key SSVC decision points have not yet been added.

Vendors	Products
Unisoon	Ultralog Express Ultralog Express Firmware

Configuration 1 [-]

AND

cpe:2.3:o:unisoon:ultralog_express_firmware:1.4.0:*:*:*:*:*:*:*

cpe:2.3:h:unisoon:ultralog_express:-:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Update to V1.5.0 or later version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html

History

Tue, 17 Sep 2024 02:30:00 +0000

Type	Values Removed	Values Added
Description	UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory.	UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2020-03-27T03:50:25.735974Z

Updated: 2024-09-17T02:16:00.930Z

Reserved: 2019-12-20T00:00:00

Link: CVE-2020-3920

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-03-27T04:15:10.770

Modified: 2024-11-21T05:31:57.603

Link: CVE-2020-3920

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "UltraLog Express", "vendor": "Unisoon", "versions": [{"status": "affected", "version": "1.4.0"}]}], "datePublic": "2020-03-26T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory.</p>"}], "value": "UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "Broken Authentication", "lang": "en"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-05-06T09:51:02.175Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n\nUpdate to V1.5.0 or later version.\n\n</p>"}], "value": "Update to V1.5.0 or later version."}], "source": {"discovery": "UNKNOWN"}, "title": "Unisoon UltraLog Express - Broken Authentication", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-03-27T03:59:00.000Z", "ID": "CVE-2020-3920", "STATE": "PUBLIC", "TITLE": "Unisoon UltraLog Express - Broken Authentication"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "UltraLog Express", "version": {"version_data": [{"version_affected": "=", "version_value": "1.4.0"}]}}]}, "vendor_name": "Unisoon"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Broken Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html"}]}, "solution": [{"lang": "en", "value": "Contact Unisoon for vulnerabilities repairment."}], "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:52:20.408Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2020-3920", "datePublished": "2020-03-27T03:50:25.735974Z", "dateReserved": "2019-12-20T00:00:00", "dateUpdated": "2024-09-17T02:16:00.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:unisoon:ultralog_express_firmware:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "E2447868-77F7-4F76-8403-429538463E95", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:unisoon:ultralog_express:-:*:*:*:*:*:*:*", "matchCriteriaId": "0CAA1710-42ED-4805-B485-5D0BD32D77F4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory."}, {"lang": "es", "value": "La interfaz de administraci\u00f3n de dispositivos UltraLog Express, no realiza apropiadamente una autenticaci\u00f3n del acceso en algunas p\u00e1ginas y funciones espec\u00edficas. Cualquier usuario puede acceder a la p\u00e1gina privilegiada para administrar cuentas por medio de un directorio del sistema espec\u00edfico."}], "id": "CVE-2020-3920", "lastModified": "2024-11-21T05:31:57.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-27T04:15:10.770", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3452-937d6-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}