Description

AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack.

Related CPE's

a

ave

dominaplus

Vulnerable

o

ave

53ab-wbs_firmware

1.10.62

Vulnerable

h

ave

53ab-wbs

-

o

ave

ts01_firmware

1.0.65

Vulnerable

h

ave

ts01

-

o

ave

ts03x-v_firmware

1.10.45a

Vulnerable

h

ave

ts03x-v

-

o

ave

ts04x-v_firmware

1.10.45a

Vulnerable

h

ave

ts04x-v

-

o

ave

ts05_firmware

1.10.36

Vulnerable

h

ave

ts05

-

o

ave

ts05n-v_firmware

-

Vulnerable

h

ave

ts05n-v

-

References

https://cwe.mitre.org/data/definitions/522.html

Technical Description

https://www.exploit-db.com/exploits/47819

ExploitThird Party AdvisoryVDB Entry

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-522

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-04-28T15:15:07.917

4 years ago

Last modified

2022-10-26T15:15:08.737

2 years ago