Details of VAR-201405-0459

ID

VAR-201405-0459

CVE

CVE-2014-0786

TITLE

Ecava IntegraXor Guest Acccount Information Disclosure Vulnerability

Trust: 1.4

sources: ZDI: ZDI-14-369 // ZDI: ZDI-14-117

DESCRIPTION

Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ecava IntegraXor. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the "guest" user. The issue lies in the ability the retrieve all project credentials. By abusing this flaw an attacker can disclose credentials and leverage this situation to achieve remote code execution. Ecava IntegraXor is a human interface product that uses HTML and SVG. Ecava IntegraXor has an unspecified error that allows an attacker to exploit a vulnerability to obtain sensitive account information. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Ecava IntegraXor is prone to an information-disclosure vulnerability. Versions prior to IntegraXor 4.1.4393 are vulnerable

Trust: 4.14

sources: NVD: CVE-2014-0786 // JVNDB: JVNDB-2014-002340 // ZDI: ZDI-14-369 // ZDI: ZDI-14-117 // CNVD: CNVD-2014-02109 // BID: 69776 // BID: 66554 // IVD: 06e54bac-2352-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 06e54bac-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-02109

AFFECTED PRODUCTS

vendor:	ecava	model:	integraxor	scope:	eq	version:	4.1.4369	Trust: 1.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	4.1.4360	Trust: 1.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	4.1.4380	Trust: 1.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	4.1.4340	Trust: 1.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	4.1	Trust: 1.6
vendor:	ecava	model:	integraxor	scope:	-	version:	-	Trust: 1.4
vendor:	ecava	model:	integraxor	scope:	lte	version:	4.1.4390	Trust: 1.0
vendor:	ecava	model:	integraxor	scope:	lt	version:	4.1.4393	Trust: 0.8
vendor:	ecava	model:	integraxor	scope:	eq	version:	4.x	Trust: 0.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	4.1.4390	Trust: 0.6
vendor:	ecava	model:	integraxor scada server	scope:	eq	version:	4.1.4392	Trust: 0.3
vendor:	ecava	model:	integraxor scada server	scope:	eq	version:	4.1.4360	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.71.4200	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.60.4050	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.60.4032	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.60	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.6.4000.5	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.6.4000.0	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.5.4000.5	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.5.3900.5	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.5.3900.10	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.5	Trust: 0.3
vendor:	integraxor	model:	-	scope:	eq	version:	4.1	Trust: 0.2
vendor:	integraxor	model:	-	scope:	eq	version:	4.1.4340	Trust: 0.2
vendor:	integraxor	model:	-	scope:	eq	version:	4.1.4360	Trust: 0.2
vendor:	integraxor	model:	-	scope:	eq	version:	4.1.4369	Trust: 0.2
vendor:	integraxor	model:	-	scope:	eq	version:	4.1.4380	Trust: 0.2
vendor:	integraxor	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 06e54bac-2352-11e6-abef-000c29c66e3d // ZDI: ZDI-14-369 // ZDI: ZDI-14-117 // CNVD: CNVD-2014-02109 // BID: 69776 // BID: 66554 // CNNVD: CNNVD-201404-616 // JVNDB: JVNDB-2014-002340 // NVD: CVE-2014-0786

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2014-0786
value:	HIGH
Trust: 1.4
ics-cert@hq.dhs.gov:	CVE-2014-0786
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2014-0786
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-0786
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-02109
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201404-616
value:	MEDIUM
Trust: 0.6
IVD:	06e54bac-2352-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

ics-cert@hq.dhs.gov:	CVE-2014-0786
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.4
nvd@nist.gov:	CVE-2014-0786
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-02109
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	06e54bac-2352-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 06e54bac-2352-11e6-abef-000c29c66e3d // ZDI: ZDI-14-369 // ZDI: ZDI-14-117 // CNVD: CNVD-2014-02109 // CNNVD: CNNVD-201404-616 // JVNDB: JVNDB-2014-002340 // NVD: CVE-2014-0786 // NVD: CVE-2014-0786

PROBLEMTYPE DATA

problemtype:	CWE-310	Trust: 1.8
problemtype:	CWE-200	Trust: 1.0

sources: JVNDB: JVNDB-2014-002340 // NVD: CVE-2014-0786

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-616

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201404-616

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002340

PATCH

title:	Account Information Disclosure Vulnerability Note	url:	http://www.integraxor.com/blog/category/security/vulnerability-note/	Trust: 0.8
title:	Ecava has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-14-224-01	Trust: 0.7
title:	Ecava has issued an update to correct this vulnerability.	url:	http://ics-cert.us-cert.gov/advisories/ICSA-14-091-01	Trust: 0.7
title:	Ecava IntegraXor Account Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/44617	Trust: 0.6

sources: ZDI: ZDI-14-369 // ZDI: ZDI-14-117 // CNVD: CNVD-2014-02109 // JVNDB: JVNDB-2014-002340

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0786	Trust: 5.2
db:	ICS CERT	id:	ICSA-14-091-01	Trust: 2.4
db:	BID	id:	66554	Trust: 0.9
db:	CNVD	id:	CNVD-2014-02109	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-616	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-002340	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2310	Trust: 0.7
db:	ZDI	id:	ZDI-14-369	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2041	Trust: 0.7
db:	ZDI	id:	ZDI-14-117	Trust: 0.7
db:	ICS CERT	id:	ICSA-14-224-01	Trust: 0.3
db:	BID	id:	69776	Trust: 0.3
db:	IVD	id:	06E54BAC-2352-11E6-ABEF-000C29C66E3D	Trust: 0.2

REFERENCES

url:	http://ics-cert.us-cert.gov/advisories/icsa-14-091-01	Trust: 3.1
url:	http://www.integraxor.com/blog/category/security/vulnerability-note/	Trust: 1.6
url:	https://ics-cert.us-cert.gov/advisories/icsa-14-224-01	Trust: 1.0
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-14-091-01	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0786	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0786	Trust: 0.8
url:	http://www.integraxor.com/blog/account-information-disclosure-vulnerability-note/	Trust: 0.6
url:	http://www.integraxor.com/	Trust: 0.6

sources: ZDI: ZDI-14-369 // ZDI: ZDI-14-117 // CNVD: CNVD-2014-02109 // BID: 69776 // BID: 66554 // CNNVD: CNNVD-201404-616 // JVNDB: JVNDB-2014-002340 // NVD: CVE-2014-0786

CREDITS

Andrea Micalizzi (rgod)

Trust: 0.7

sources: ZDI: ZDI-14-369

SOURCES

db:	IVD	id:	06e54bac-2352-11e6-abef-000c29c66e3d
db:	ZDI	id:	ZDI-14-369
db:	ZDI	id:	ZDI-14-117
db:	CNVD	id:	CNVD-2014-02109
db:	BID	id:	69776
db:	BID	id:	66554
db:	CNNVD	id:	CNNVD-201404-616
db:	JVNDB	id:	JVNDB-2014-002340
db:	NVD	id:	CVE-2014-0786

LAST UPDATE DATE

2025-09-26T23:28:12.614000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-14-369	date:	2014-10-24T00:00:00
db:	ZDI	id:	ZDI-14-117	date:	2014-05-02T00:00:00
db:	CNVD	id:	CNVD-2014-02109	date:	2014-05-09T00:00:00
db:	BID	id:	69776	date:	2014-09-11T00:00:00
db:	BID	id:	66554	date:	2014-10-29T00:59:00
db:	CNNVD	id:	CNNVD-201404-616	date:	2014-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2014-002340	date:	2014-05-02T00:00:00
db:	NVD	id:	CVE-2014-0786	date:	2025-09-25T18:15:35.830

SOURCES RELEASE DATE

db:	IVD	id:	06e54bac-2352-11e6-abef-000c29c66e3d	date:	2014-04-03T00:00:00
db:	ZDI	id:	ZDI-14-369	date:	2014-10-24T00:00:00
db:	ZDI	id:	ZDI-14-117	date:	2014-05-02T00:00:00
db:	CNVD	id:	CNVD-2014-02109	date:	2014-04-03T00:00:00
db:	BID	id:	69776	date:	2014-09-11T00:00:00
db:	BID	id:	66554	date:	2014-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201404-616	date:	2014-04-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-002340	date:	2014-05-02T00:00:00
db:	NVD	id:	CVE-2014-0786	date:	2014-05-01T01:56:10.490