Details of VAR-201408-0348

ID

VAR-201408-0348

CVE

CVE-2014-5396

TITLE

Schrack Emergency Lights System Multiple Security Vulnerabilities

Trust: 0.9

sources: BID: 68484 // CNNVD: CNNVD-201407-300

DESCRIPTION

The web interface in Schrack Technik microControl with firmware before 1.7.0 (937) has a hardcoded password of not for the "user" account, which makes it easier for remote attackers to obtain access via unspecified vectors. Schrack Emergency Lights System is a set of emergency lighting system of Austria Schrack company. The system includes self-contained emergency luminaires, low power systems (LPS), and more. Schrack Emergency Lights System versions prior to 1.7.0 (937) have the following security vulnerabilities: 1. Insecure default password vulnerability 2. Authentication bypass vulnerability 3. HTML injection vulnerability 4. Information disclosure vulnerability. Attackers can use these vulnerabilities to bypass authentication mechanisms, perform unauthorized operations, obtain sensitive information, and execute arbitrary script code in the context of affected browsers. Steal cookie-based authentication. Multiple HTML-injection vulnerabilities 4. Schrack Technik microControl is a distributed power supply system (low power consumption system) of Schrack Technik Company in Austria. A remote attacker could exploit this vulnerability to gain access

Trust: 2.52

sources: NVD: CVE-2014-5396 // JVNDB: JVNDB-2014-003932 // CNNVD: CNNVD-201407-300 // BID: 68484 // VULHUB: VHN-73337

AFFECTED PRODUCTS

vendor:	schrack	model:	technik microcontrol	scope:	lte	version:	1.7.0	Trust: 1.0
vendor:	schrack	model:	technik microcontrol	scope:	eq	version:	-	Trust: 1.0
vendor:	schrack	model:	technik microcontrol	scope:	-	version:	-	Trust: 0.8
vendor:	schrack	model:	technik microcontrol	scope:	lt	version:	1.7.0 (937)	Trust: 0.8
vendor:	schrack	model:	technik microcontrol	scope:	eq	version:	1.7.0	Trust: 0.6

sources: JVNDB: JVNDB-2014-003932 // CNNVD: CNNVD-201408-362 // NVD: CVE-2014-5396

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-5396
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-5396
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201408-362
value:	HIGH
Trust: 0.6
VULHUB:	VHN-73337
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-5396
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-73337
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-73337 // JVNDB: JVNDB-2014-003932 // CNNVD: CNNVD-201408-362 // NVD: CVE-2014-5396

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-255	Trust: 0.8

sources: JVNDB: JVNDB-2014-003932 // NVD: CVE-2014-5396

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201408-362 // CNNVD: CNNVD-201407-300

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201408-362

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003932

PATCH

title:	MICRO CONTROL	url:	http://image.schrack.com/produktkataloge/w_p-micro10_de.pdf	Trust: 0.8
title:	Top Page	url:	http://www.schrack.com/	Trust: 0.8

sources: JVNDB: JVNDB-2014-003932

EXTERNAL IDS

db:	NVD	id:	CVE-2014-5396	Trust: 2.8
db:	BID	id:	68484	Trust: 0.9
db:	JVNDB	id:	JVNDB-2014-003932	Trust: 0.8
db:	CNNVD	id:	CNNVD-201408-362	Trust: 0.6
db:	CNNVD	id:	CNNVD-201407-300	Trust: 0.6
db:	VULHUB	id:	VHN-73337	Trust: 0.1

sources: VULHUB: VHN-73337 // BID: 68484 // JVNDB: JVNDB-2014-003932 // CNNVD: CNNVD-201408-362 // CNNVD: CNNVD-201407-300 // NVD: CVE-2014-5396

REFERENCES

url:	http://seclists.org/fulldisclosure/2014/jul/40	Trust: 2.5
url:	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140710-2_schrack_technik_microcontrol_multiple_critical_vulnerabilities_v10.txt	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5396	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5396	Trust: 0.8
url:	http://www.securityfocus.com/bid/68484	Trust: 0.6

sources: VULHUB: VHN-73337 // JVNDB: JVNDB-2014-003932 // CNNVD: CNNVD-201408-362 // CNNVD: CNNVD-201407-300 // NVD: CVE-2014-5396

CREDITS

C. Kudera

Trust: 0.9

sources: BID: 68484 // CNNVD: CNNVD-201407-300

SOURCES

db:	VULHUB	id:	VHN-73337
db:	BID	id:	68484
db:	JVNDB	id:	JVNDB-2014-003932
db:	CNNVD	id:	CNNVD-201408-362
db:	CNNVD	id:	CNNVD-201407-300
db:	NVD	id:	CVE-2014-5396

LAST UPDATE DATE

2025-04-13T23:10:08.387000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-73337	date:	2014-08-28T00:00:00
db:	BID	id:	68484	date:	2014-10-21T16:00:00
db:	JVNDB	id:	JVNDB-2014-003932	date:	2014-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201408-362	date:	2014-09-03T00:00:00
db:	CNNVD	id:	CNNVD-201407-300	date:	2014-07-14T00:00:00
db:	NVD	id:	CVE-2014-5396	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-73337	date:	2014-08-22T00:00:00
db:	BID	id:	68484	date:	2014-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-003932	date:	2014-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201408-362	date:	2014-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201407-300	date:	2014-07-14T00:00:00
db:	NVD	id:	CVE-2014-5396	date:	2014-08-22T14:55:09.437