← Back

CVE-2018-8859

nvd nist
Published: Jul 24, 2018Modified: Jun 2, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product.

Affected (4)

Echelon
4 products
Smartserver 1 Firmware
Smartserver 2 Firmware
I.lon 100 Firmware
I.lon 600 Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Smartserver 1 Firmware
All versions
Running on/withPlatform Versions
Echelon
Smartserver 1
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Smartserver 2 Firmware
Before 4.11.007
Running on/withPlatform Versions
Echelon
Smartserver 2
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
I.lon 100 Firmware
All versions
Running on/withPlatform Versions
Echelon
I.lon 100
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
I.lon 600 Firmware
All versions
Running on/withPlatform Versions
Echelon
I.lon 600
All versions

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-288
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (2)

Source: ics-cert@hq.dhs.gov
Third Party AdvisoryUS Government Resource
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryUS Government Resource

Timeline

No history available yet.