CVE-2019-6961

Published: Jun 20, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations (intended only for the network operator) by sending an HTTP POST to the PHP backend, because the page filtering for non-superuser (in header.php) is done only for GET requests and not for direct AJAX calls.

Affected (1)

Products: Rdkcentral: Rdkb Ccsppandm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rdkcentral Rdkb Ccsppandm	Version rdkb-20181217-1

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://dojo.bullguard.com/dojo-by-bullguard/blog/the-gateway-is-wide-open

Source: cve@mitre.org

Third Party Advisory

https://dojo.bullguard.com/dojo-by-bullguard/blog/the-gateway-is-wide-open

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.