Sign-up

ID

VAR-201511-0018


CVE

CVE-2015-7912


TITLE

Tibbo AggreGate of AggreGate Server Service of ag_server_service.exe In any Java Code upload vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-006003

DESCRIPTION

The Ice Faces servlet in ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows remote attackers to upload and execute arbitrary Java code via a crafted XML document. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. http://cwe.mitre.org/data/definitions/434.htmlSkillfully crafted by a third party XML Any through document Java The code may be uploaded and executed. Authentication is not required to exploit this vulnerability. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. Tibbo Technology AggreGate is a set of IoT platforms that Tibbo Technology uses to configure and monitor different electronic devices through network technology. AggreGate Platform is prone to multiple arbitrary file-upload vulnerabilities. AggreGate Platform 5.21.02 and prior versions are vulnerable

Trust: 3.6

sources: NVD: CVE-2015-7912 // JVNDB: JVNDB-2015-006003 // ZDI: ZDI-15-571 // CNVD: CNVD-2015-07766 // CNNVD: CNNVD-201511-386 // BID: 77658

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-07766

AFFECTED PRODUCTS

vendor:tibbomodel:aggregatescope:lteversion:5.21.02

Trust: 1.0

vendor:tibbomodel:aggregatescope:ltversion:(scada/hmi) 5.30.06

Trust: 0.8

vendor:tibbomodel:aggregate scada/hmiscope: - version: -

Trust: 0.7

vendor:tibbomodel:technology aggregate platformscope:ltversion:5.30.06

Trust: 0.6

vendor:tibbomodel:aggregatescope:eqversion:5.21.02

Trust: 0.6

sources: ZDI: ZDI-15-571 // CNVD: CNVD-2015-07766 // JVNDB: JVNDB-2015-006003 // CNNVD: CNNVD-201511-386 // NVD: CVE-2015-7912

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7912
value: HIGH

Trust: 1.0

NVD: CVE-2015-7912
value: HIGH

Trust: 0.8

ZDI: CVE-2015-7912
value: HIGH

Trust: 0.7

CNVD: CNVD-2015-07766
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201511-386
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2015-7912
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2015-7912
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2015-07766
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: ZDI: ZDI-15-571 // CNVD: CNVD-2015-07766 // JVNDB: JVNDB-2015-006003 // CNNVD: CNNVD-201511-386 // NVD: CVE-2015-7912

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-006003 // NVD: CVE-2015-7912

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201511-386

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 77658

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006003

PATCH
title:AggreGateurl:http://aggregate.tibbo.com/
Trust: 0.8
title:Tibbo has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-15-323-01
Trust: 0.7
title:Patch for Tibbo Technology AggreGate Remote Code Execution Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/67104
Trust: 0.6
title:Tibbo Technology AggreGate Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58835
Trust: 0.6
sources:
            
            
            ZDI: ZDI-15-571 // 
            
            
            
            CNVD: CNVD-2015-07766 // 
            
            
            
            JVNDB: JVNDB-2015-006003 // 
            
            
            
            CNNVD: CNNVD-201511-386

EXTERNAL IDS
db:NVDid:CVE-2015-7912
Trust: 4.0
db:ICS CERTid:ICSA-15-323-01
Trust: 3.0
db:ZDIid:ZDI-15-571
Trust: 2.9
db:JVNDBid:JVNDB-2015-006003
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3134
Trust: 0.7
db:CNVDid:CNVD-2015-07766
Trust: 0.6
db:CNNVDid:CNNVD-201511-386
Trust: 0.6
db:BIDid:77658
Trust: 0.3
sources:
            
            
            ZDI: ZDI-15-571 // 
            
            
            
            CNVD: CNVD-2015-07766 // 
            
            
            
            BID: 77658 // 
            
            
            
            JVNDB: JVNDB-2015-006003 // 
            
            
            
            CNNVD: CNNVD-201511-386 // 
            
            
            
            NVD: CVE-2015-7912

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-323-01
Trust: 3.7
url:http://zerodayinitiative.com/advisories/zdi-15-571/
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7912
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7912
Trust: 0.8
sources:
            
            
            ZDI: ZDI-15-571 // 
            
            
            
            CNVD: CNVD-2015-07766 // 
            
            
            
            JVNDB: JVNDB-2015-006003 // 
            
            
            
            CNNVD: CNNVD-201511-386 // 
            
            
            
            NVD: CVE-2015-7912

CREDITS
Andrea Micalizzi (rgod)
Trust: 1.0
sources:
            
            
            ZDI: ZDI-15-571 // 
            
            
            
            BID: 77658

SOURCES
db:ZDIid:ZDI-15-571
db:CNVDid:CNVD-2015-07766
db:BIDid:77658
db:JVNDBid:JVNDB-2015-006003
db:CNNVDid:CNNVD-201511-386
db:NVDid:CVE-2015-7912

LAST UPDATE DATE
2025-04-12T23:04:31.669000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-15-571date:2015-11-20T00:00:00
db:CNVDid:CNVD-2015-07766date:2015-11-25T00:00:00
db:BIDid:77658date:2015-12-07T22:25:00
db:JVNDBid:JVNDB-2015-006003date:2015-11-24T00:00:00
db:CNNVDid:CNNVD-201511-386date:2015-11-23T00:00:00
db:NVDid:CVE-2015-7912date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZDIid:ZDI-15-571date:2015-11-20T00:00:00
db:CNVDid:CNVD-2015-07766date:2015-11-25T00:00:00
db:BIDid:77658date:2015-11-19T00:00:00
db:JVNDBid:JVNDB-2015-006003date:2015-11-24T00:00:00
db:CNNVDid:CNNVD-201511-386date:2015-11-23T00:00:00
db:NVDid:CVE-2015-7912date:2015-11-21T11:59:24.390