CVE-2020-3921 - Vulnerability Details - OpenCVE

UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00183.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Unisoon	Ultralog Express Ultralog Express Firmware

Configuration 1 [-]

AND

cpe:2.3:o:unisoon:ultralog_express_firmware:1.4.0:*:*:*:*:*:*:*

cpe:2.3:h:unisoon:ultralog_express:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-25186	UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page.

Fixes

Solution

Update to V1.5.0 or later version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html

History

Wed, 18 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Sep 2024 01:45:00 +0000

Type	Values Removed	Values Added
Description	UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page.	UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2020-03-27T03:50:26.138651Z

Updated: 2024-09-17T01:41:03.399Z

Reserved: 2019-12-20T00:00:00

Link: CVE-2020-3921

Vulnrichment

Updated: 2024-08-04T07:52:20.541Z

NVD

Status : Modified

Published: 2020-03-27T04:15:10.850

Modified: 2024-11-21T05:31:57.727

Link: CVE-2020-3921

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "UltraLog Express", "vendor": "Unisoon", "versions": [{"status": "affected", "version": "1.4.0"}]}], "datePublic": "2020-03-26T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page.</p>"}], "value": "UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "Sensitive Data Exposure", "lang": "en"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-05-06T09:50:31.446Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Update to V1.5.0 or later version.</span>"}], "value": "Update to V1.5.0 or later version."}], "source": {"discovery": "UNKNOWN"}, "title": "Unisoon UltraLog Express - Sensitive Data Exposure", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-03-27T03:59:00.000Z", "ID": "CVE-2020-3921", "STATE": "PUBLIC", "TITLE": "Unisoon UltraLog Express - Sensitive Data Exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "UltraLog Express", "version": {"version_data": [{"version_affected": "=", "version_value": "1.4.0"}]}}]}, "vendor_name": "Unisoon"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sensitive Data Exposure"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html"}]}, "solution": [{"lang": "en", "value": "Contact Unisoon for vulnerabilities repairment."}], "source": {"discovery": "UNKNOWN"}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-3921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-07T18:19:54.193307Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:unisoon:ultralog_express_firmware:1.4.0:*:*:*:*:*:*:*"], "vendor": "unisoon", "product": "ultralog_express_firmware", "versions": [{"status": "affected", "version": "1.4.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:12:13.125Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:52:20.541Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2020-3921", "datePublished": "2020-03-27T03:50:26.138651Z", "dateReserved": "2019-12-20T00:00:00", "dateUpdated": "2024-09-17T01:41:03.399Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:52:20.541Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-3921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-07T18:19:54.193307Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:unisoon:ultralog_express_firmware:1.4.0:*:*:*:*:*:*:*"], "vendor": "unisoon", "product": "ultralog_express_firmware", "versions": [{"status": "affected", "version": "1.4.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T18:08:55.329Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Unisoon UltraLog Express - Sensitive Data Exposure", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Unisoon", "product": "UltraLog Express", "versions": [{"status": "affected", "version": "1.4.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to V1.5.0 or later version.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Update to V1.5.0 or later version.</span>", "base64": false}]}], "datePublic": "2020-03-26T16:00:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page.", "supportingMedia": [{"type": "text/html", "value": "<p>UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Sensitive Data Exposure"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-05-06T09:50:31.446Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.4.0", "version_affected": "="}]}, "product_name": "UltraLog Express"}]}, "vendor_name": "Unisoon"}]}}, "solution": [{"lang": "en", "value": "Contact Unisoon for vulnerabilities repairment."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html", "name": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sensitive Data Exposure"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-3921", "AKA": "TWCERT/CC", "STATE": "PUBLIC", "TITLE": "Unisoon UltraLog Express - Sensitive Data Exposure", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-03-27T03:59:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2020-3921", "state": "PUBLISHED", "dateUpdated": "2024-09-17T01:41:03.399Z", "dateReserved": "2019-12-20T00:00:00", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2020-03-27T03:50:26.138651Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:unisoon:ultralog_express_firmware:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "E2447868-77F7-4F76-8403-429538463E95", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:unisoon:ultralog_express:-:*:*:*:*:*:*:*", "matchCriteriaId": "0CAA1710-42ED-4805-B485-5D0BD32D77F4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "UltraLog Express device management software stores user\u2019s information in cleartext. Any user can obtain accounts information through a specific page."}, {"lang": "es", "value": "El software de administraci\u00f3n de dispositivos UltraLog Express, almacena una informaci\u00f3n del usuario en texto sin cifrar. Cualquier usuario puede obtener informaci\u00f3n de las cuentas por medio de una p\u00e1gina espec\u00edfica."}], "id": "CVE-2020-3921", "lastModified": "2024-11-21T05:31:57.727", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-27T04:15:10.850", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3453-442a5-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}]}