Details of VAR-201310-0626

ID

VAR-201310-0626

CVE

CVE-2013-6128

TITLE

WellinTech KingView of KChartXY.ocx Vulnerable to arbitrary file generation

Trust: 0.8

sources: JVNDB: JVNDB-2013-004902

DESCRIPTION

The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the single pathname argument, as demonstrated by a directory traversal attack. Kingview is the first SCADA product launched by Asia Control for small and medium-sized projects for monitoring and controlling automation equipment and processes. WellinTech KingView ActiveX has multiple arbitrary file coverage vulnerabilities. Because the program fails to properly filter user input, an attacker can exploit the vulnerability to save arbitrary files on the affected application context computer. WellinTech KingView is prone to multiple insecure-method vulnerabilities because it fails to properly sanitize user-supplied input. KingView 6.53 is vulnerable; other versions may also be affected

Trust: 2.43

sources: NVD: CVE-2013-6128 // JVNDB: JVNDB-2013-004902 // CNVD: CNVD-2013-13162 // BID: 62419

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-13162

AFFECTED PRODUCTS

vendor:	wellintech	model:	kingview	scope:	lte	version:	6.52	Trust: 1.0
vendor:	wellintech	model:	kingview	scope:	eq	version:	6.53	Trust: 0.9
vendor:	wellintech	model:	kingview	scope:	lt	version:	6.53 (kchartxy.ocx 65.30.30000.10002 )	Trust: 0.8
vendor:	wellintech	model:	kingview	scope:	eq	version:	6.52	Trust: 0.6

sources: CNVD: CNVD-2013-13162 // BID: 62419 // JVNDB: JVNDB-2013-004902 // CNNVD: CNNVD-201310-514 // NVD: CVE-2013-6128

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-6128
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-6128
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-13162
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201310-514
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2013-6128
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-13162
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2013-13162 // JVNDB: JVNDB-2013-004902 // CNNVD: CNNVD-201310-514 // NVD: CVE-2013-6128

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2013-004902 // NVD: CVE-2013-6128

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201310-514

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201310-514

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004902

PATCH

title:	Top Page	url:	http://en.wellintech.com/	Trust: 0.8
title:	トップページ	url:	http://www.wellintech.co.jp/	Trust: 0.8
title:	WellinTech KingView ActiveX has multiple patches for arbitrary file coverage vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/67162	Trust: 0.6

sources: CNVD: CNVD-2013-13162 // JVNDB: JVNDB-2013-004902

EXTERNAL IDS

db:	NVD	id:	CVE-2013-6128	Trust: 3.3
db:	ICS CERT	id:	ICSA-13-295-01	Trust: 2.4
db:	EXPLOIT-DB	id:	28085	Trust: 1.6
db:	BID	id:	62419	Trust: 1.5
db:	JVNDB	id:	JVNDB-2013-004902	Trust: 0.8
db:	ICS CERT ALERT	id:	ICS-ALERT-13-256-01	Trust: 0.6
db:	CNVD	id:	CNVD-2013-13162	Trust: 0.6
db:	CNNVD	id:	CNNVD-201310-514	Trust: 0.6

sources: CNVD: CNVD-2013-13162 // BID: 62419 // JVNDB: JVNDB-2013-004902 // CNNVD: CNNVD-201310-514 // NVD: CVE-2013-6128

REFERENCES

url:	http://ics-cert.us-cert.gov/advisories/icsa-13-295-01	Trust: 2.4
url:	http://www.exploit-db.com/exploits/28085/	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6128	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6128	Trust: 0.8
url:	http://ics-cert.us-cert.gov/alerts/ics-alert-13-256-01	Trust: 0.6
url:	http://www.securityfocus.com/bid/62419	Trust: 0.6

sources: CNVD: CNVD-2013-13162 // JVNDB: JVNDB-2013-004902 // CNNVD: CNNVD-201310-514 // NVD: CVE-2013-6128

CREDITS

Blake

Trust: 0.9

sources: BID: 62419 // CNNVD: CNNVD-201310-514

SOURCES

db:	CNVD	id:	CNVD-2013-13162
db:	BID	id:	62419
db:	JVNDB	id:	JVNDB-2013-004902
db:	CNNVD	id:	CNNVD-201310-514
db:	NVD	id:	CVE-2013-6128

LAST UPDATE DATE

2025-04-11T23:09:49.671000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-13162	date:	2015-11-24T00:00:00
db:	BID	id:	62419	date:	2013-10-23T00:37:00
db:	JVNDB	id:	JVNDB-2013-004902	date:	2013-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201310-514	date:	2013-10-28T00:00:00
db:	NVD	id:	CVE-2013-6128	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-13162	date:	2013-09-22T00:00:00
db:	BID	id:	62419	date:	2013-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2013-004902	date:	2013-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201310-514	date:	2013-09-04T00:00:00
db:	NVD	id:	CVE-2013-6128	date:	2013-10-25T20:55:03.517