← Back

CVE-2017-8328

nvd nist
Published: Jun 18, 2019Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue.

Affected (3)

Securifi
3 products
Almond 2015 Firmware
Almond+firmware
Almond Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Almond 2015 Firmware
Version al-r096
Running on/withPlatform Versions
Securifi
Almond 2015
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Almond+firmware
Version al-r096
Running on/withPlatform Versions
Securifi
Almond+
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Almond Firmware
Version al-r096
Running on/withPlatform Versions
Securifi
Almond
All versions

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

Source: cve@mitre.org
Third Party AdvisoryVDB Entry
Source: cve@mitre.org
ExploitThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory

Timeline

No history available yet.