Sign-up

ID

VAR-201604-0072


CVE

CVE-2016-2303


TITLE

Ecava IntegraXor In CRLF Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-002348

DESCRIPTION

CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. Ecava IntegraXor Is CRLF An injection vulnerability exists. Supplementary information : CWE Vulnerability type by CWE-93: Improper Neutralization of CRLF Sequences (CRLF injection ) Has been identified. Ecava IntegraXor is a web-based tool for creating and running HMI interfaces for SCADA systems. The Ecava IntegraXor HMI failed to properly handle specific elements in the input, allowing remote attackers to exploit the vulnerability to bypass security restrictions. Ecava IntegraXor is prone to the following security vulnerabilities. 1. A clear-text transmission of sensitive information vulnerability 2. A Cross-site scripting vulnerability 3. Multiple security bypass vulnerabilities 4. Multiple SQL-injection vulnerabilities Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, gain access to sensitive information or bypass security restrictions

Trust: 2.61

sources: NVD: CVE-2016-2303 // JVNDB: JVNDB-2016-002348 // CNVD: CNVD-2016-02330 // BID: 86088 // IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02330

AFFECTED PRODUCTS

vendor:ecavamodel:integraxorscope:lteversion:4.2.4502

Trust: 1.0

vendor:ecavamodel:integraxorscope:ltversion:5.0 build 4522

Trust: 0.8

vendor:ecavamodel:integraxor buildscope:ltversion:5.04522

Trust: 0.6

vendor:ecavamodel:integraxorscope:eqversion:4.2.4502

Trust: 0.6

vendor:integraxormodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02330 // JVNDB: JVNDB-2016-002348 // CNNVD: CNNVD-201604-319 // NVD: CVE-2016-2303

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-2303
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-2303
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-02330
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201604-319
value: MEDIUM

Trust: 0.6

IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-2303
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-02330
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-2303
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-02330 // JVNDB: JVNDB-2016-002348 // CNNVD: CNNVD-201604-319 // NVD: CVE-2016-2303

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2016-002348 // NVD: CVE-2016-2303

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-319

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201604-319

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-002348

PATCH
title:Top Pageurl:http://www.integraxor.com/
Trust: 0.8
title:Ecava IntegraXor HMI Permissions Bypass Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/74340
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-02330 // 
            
            
            
            JVNDB: JVNDB-2016-002348

EXTERNAL IDS
db:NVDid:CVE-2016-2303
Trust: 3.5
db:ICS CERTid:ICSA-16-105-03
Trust: 3.3
db:CNVDid:CNVD-2016-02330
Trust: 0.8
db:CNNVDid:CNNVD-201604-319
Trust: 0.8
db:JVNDBid:JVNDB-2016-002348
Trust: 0.8
db:BIDid:86088
Trust: 0.3
db:IVDid:58AF9C0E-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 58af9c0e-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2016-02330 // 
            
            
            
            BID: 86088 // 
            
            
            
            JVNDB: JVNDB-2016-002348 // 
            
            
            
            CNNVD: CNNVD-201604-319 // 
            
            
            
            NVD: CVE-2016-2303

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-105-03
Trust: 3.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2303
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2303
Trust: 0.8
url:http://www.integraxor.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-02330 // 
            
            
            
            BID: 86088 // 
            
            
            
            JVNDB: JVNDB-2016-002348 // 
            
            
            
            CNNVD: CNNVD-201604-319 // 
            
            
            
            NVD: CVE-2016-2303

CREDITS
Marcus Richerson and Steven Seeley of Source Incite, working with Trend Micro’s Zero Day Initiative
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201604-319

SOURCES
db:IVDid:58af9c0e-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2016-02330
db:BIDid:86088
db:JVNDBid:JVNDB-2016-002348
db:CNNVDid:CNNVD-201604-319
db:NVDid:CVE-2016-2303

LAST UPDATE DATE
2025-04-12T23:04:22.064000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-02330date:2016-04-19T00:00:00
db:BIDid:86088date:2016-07-06T14:31:00
db:JVNDBid:JVNDB-2016-002348date:2016-04-28T00:00:00
db:CNNVDid:CNNVD-201604-319date:2016-04-22T00:00:00
db:NVDid:CVE-2016-2303date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:58af9c0e-2351-11e6-abef-000c29c66e3ddate:2016-04-19T00:00:00
db:CNVDid:CNVD-2016-02330date:2016-04-19T00:00:00
db:BIDid:86088date:2016-04-14T00:00:00
db:JVNDBid:JVNDB-2016-002348date:2016-04-28T00:00:00
db:CNNVDid:CNNVD-201604-319date:2016-04-15T00:00:00
db:NVDid:CVE-2016-2303date:2016-04-22T00:59:04.540