CVE-2018-19616

Published: Dec 26, 2018Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element.

Affected (1)

Products: Rockwellautomation: Powermonitor 1000 Firmware

Rockwellautomation

1 product

Powermonitor 1000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Rockwellautomation Powermonitor 1000 Firmware	Version 1408-em3a-ent_b

Running on/with	Platform Versions
Rockwellautomation Powermonitor 1000	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (10)

http://packetstormsecurity.com/files/150619/Rockwell-Automation-Allen-Bradley-PowerMonitor-1000-Authentication-Bypass.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/106333

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/108538

Source: cve@mitre.org

https://ics-cert.us-cert.gov/advisories/ICSA-19-050-04

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://www.exploit-db.com/exploits/45937/

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/150619/Rockwell-Automation-Allen-Bradley-PowerMonitor-1000-Authentication-Bypass.html