CVE-2017-8328

Published Jun 18, 2019

Last updated 6 years ago

CVSS high 8.8

Overview

Description: An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.0

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 9.3
Impact score: 10
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-352

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:securifi:almond_2015:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "927187D5-C000-4DC3-BECA-7872D2294820"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:securifi:almond_2015_firmware:al-r096:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "208D57C5-306D-4759-9A80-9FC41EAABAF9"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:securifi:almond\\+:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "D3472E5F-5B79-4D36-B6AF-DFAE3021B803"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:securifi:almond\\+firmware:al-r096:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "006ED0DA-A55E-419B-ADE6-F116A64DBE45"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:securifi:almond:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "1EF61C46-EE6E-4592-B912-93D733A82095"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:securifi:almond_firmware:al-r096:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "43B428E1-51D5-48DA-B852-93434A9A8945"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References