Details of VAR-201604-0078

ID

VAR-201604-0078

CVE

CVE-2016-2272

TITLE

Eaton Lighting EG2 Web Control Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2016-001953

DESCRIPTION

Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to have an unspecified impact via a modified cookie. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlChanged by a third party Cookie May be unspecified. EatonLightingSystemsEG2WebControl is a controller product from EatonLighting Systems of the United States for connecting the Internet and Wi-Fi LAN to the iLumin network. There is a certification bypass vulnerability in EatonLightingSystemsEG2WebControl4.04P and earlier. A remote attacker could exploit this vulnerability to modify cookies in the browser. Attackers can exploit these issues to bypass security restrictions and gain access to potentially sensitive information. This may aid in other attacks. EG2 Web Control 4.04P and prior versions are vulnerable

Trust: 2.43

sources: NVD: CVE-2016-2272 // JVNDB: JVNDB-2016-001953 // CNVD: CNVD-2016-02006 // BID: 85861

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-02006

AFFECTED PRODUCTS

vendor:	eaton lighting	model:	eg2 web control	scope:	lte	version:	4.04p	Trust: 1.0
vendor:	eaton	model:	eg2 web control	scope:	lte	version:	4.04p	Trust: 0.8
vendor:	eaton	model:	lighting systems eg2 web control >=4.04p	scope:	-	version:	-	Trust: 0.6
vendor:	eaton lighting	model:	eg2 web control	scope:	eq	version:	4.04p	Trust: 0.6

sources: CNVD: CNVD-2016-02006 // JVNDB: JVNDB-2016-001953 // CNNVD: CNNVD-201604-031 // NVD: CVE-2016-2272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2272
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-2272
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-02006
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201604-031
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2016-2272
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-02006
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2016-2272
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-02006 // JVNDB: JVNDB-2016-001953 // CNNVD: CNNVD-201604-031 // NVD: CVE-2016-2272

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2016-001953 // NVD: CVE-2016-2272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-031

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201604-031

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001953

PATCH

title:	Ethernet Gateway	url:	http://www.ilight.co.uk/products-interfaces.html	Trust: 0.8
title:	Patch for EatonLightingSystemsEG2WebControl Authentication Bypass Vulnerability (CNVD-2016-02006)	url:	https://www.cnvd.org.cn/patchInfo/show/73686	Trust: 0.6
title:	Eaton Lighting Systems EG2 Web Control Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60766	Trust: 0.6

sources: CNVD: CNVD-2016-02006 // JVNDB: JVNDB-2016-001953 // CNNVD: CNNVD-201604-031

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2272	Trust: 3.3
db:	ICS CERT	id:	ICSA-16-061-03	Trust: 3.0
db:	JVNDB	id:	JVNDB-2016-001953	Trust: 0.8
db:	CNVD	id:	CNVD-2016-02006	Trust: 0.6
db:	CNNVD	id:	CNNVD-201604-031	Trust: 0.6
db:	BID	id:	85861	Trust: 0.3

sources: CNVD: CNVD-2016-02006 // BID: 85861 // JVNDB: JVNDB-2016-001953 // CNNVD: CNNVD-201604-031 // NVD: CVE-2016-2272

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-061-03	Trust: 3.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2272	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2272	Trust: 0.8

sources: CNVD: CNVD-2016-02006 // JVNDB: JVNDB-2016-001953 // CNNVD: CNNVD-201604-031 // NVD: CVE-2016-2272

CREDITS

Maxim Rupp

Trust: 0.9

sources: BID: 85861 // CNNVD: CNNVD-201604-031

SOURCES

db:	CNVD	id:	CNVD-2016-02006
db:	BID	id:	85861
db:	JVNDB	id:	JVNDB-2016-001953
db:	CNNVD	id:	CNNVD-201604-031
db:	NVD	id:	CVE-2016-2272

LAST UPDATE DATE

2025-04-12T23:15:36.041000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-02006	date:	2016-04-07T00:00:00
db:	BID	id:	85861	date:	2016-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2016-001953	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-031	date:	2016-04-06T00:00:00
db:	NVD	id:	CVE-2016-2272	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-02006	date:	2016-04-07T00:00:00
db:	BID	id:	85861	date:	2016-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2016-001953	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-031	date:	2016-04-06T00:00:00
db:	NVD	id:	CVE-2016-2272	date:	2016-04-06T23:59:14.927