Details of VAR-201607-0380

ID

VAR-201607-0380

CVE

CVE-2016-4507

TITLE

Bosch Rexroth BLADEcontrol-WebVIS In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-003493

DESCRIPTION

SQL injection vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Rexroth Bosch BLADEcontrol is a web-based HMI system. Rexroth Bosch BLADEcontrol-WebVIS is prone to SQL-injection and cross-site scripting vulnerabilities. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Rexroth Bosch BLADEcontrol-WebVIS version 3.0.2 and earlier are vulnerable

Trust: 2.61

sources: NVD: CVE-2016-4507 // JVNDB: JVNDB-2016-003493 // CNVD: CNVD-2016-04594 // BID: 91572 // IVD: b66fed74-e827-4d0e-92fd-d480e595c9f6

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: b66fed74-e827-4d0e-92fd-d480e595c9f6 // CNVD: CNVD-2016-04594

AFFECTED PRODUCTS

vendor:	bosch	model:	bladecontrol-webvis	scope:	lte	version:	3.0.2	Trust: 1.0
vendor:	bosch rexroth	model:	bladecontrol-webvis	scope:	lte	version:	3.0.2	Trust: 0.8
vendor:	rexroth	model:	bosch bladecontrol	scope:	lte	version:	<=3.0.2	Trust: 0.6
vendor:	rexroth	model:	bladecontrol-webvis	scope:	eq	version:	3.0.2	Trust: 0.6
vendor:	rexroth	model:	bosch bladecontrol-webvis	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	bladecontrol webvis	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: b66fed74-e827-4d0e-92fd-d480e595c9f6 // CNVD: CNVD-2016-04594 // BID: 91572 // JVNDB: JVNDB-2016-003493 // CNNVD: CNNVD-201607-024 // NVD: CVE-2016-4507

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4507
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-4507
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2016-04594
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201607-024
value:	MEDIUM
Trust: 0.6
IVD:	b66fed74-e827-4d0e-92fd-d480e595c9f6
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2016-4507
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-04594
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	b66fed74-e827-4d0e-92fd-d480e595c9f6
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2016-4507
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2016-4507
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: b66fed74-e827-4d0e-92fd-d480e595c9f6 // CNVD: CNVD-2016-04594 // JVNDB: JVNDB-2016-003493 // CNNVD: CNNVD-201607-024 // NVD: CVE-2016-4507

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2016-003493 // NVD: CVE-2016-4507

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-024

TYPE

SQL injection

Trust: 0.8

sources: IVD: b66fed74-e827-4d0e-92fd-d480e595c9f6 // CNNVD: CNNVD-201607-024

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003493

PATCH

title:	Top Page	url:	https://www.boschrexroth.com/	Trust: 0.8
title:	Rexroth Bosch BLADEcontrol-WebVIS SQL Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/78679	Trust: 0.6
title:	Rexroth Bosch BLADEcontrol SQL Repair measures for injecting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=62617	Trust: 0.6

sources: CNVD: CNVD-2016-04594 // JVNDB: JVNDB-2016-003493 // CNNVD: CNNVD-201607-024

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4507	Trust: 3.5
db:	ICS CERT	id:	ICSA-16-187-01	Trust: 3.3
db:	CNVD	id:	CNVD-2016-04594	Trust: 0.8
db:	CNNVD	id:	CNNVD-201607-024	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-003493	Trust: 0.8
db:	BID	id:	91572	Trust: 0.3
db:	IVD	id:	B66FED74-E827-4D0E-92FD-D480E595C9F6	Trust: 0.2

sources: IVD: b66fed74-e827-4d0e-92fd-d480e595c9f6 // CNVD: CNVD-2016-04594 // BID: 91572 // JVNDB: JVNDB-2016-003493 // CNNVD: CNNVD-201607-024 // NVD: CVE-2016-4507

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-187-01	Trust: 3.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4507	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4507	Trust: 0.8
url:	https://www.boschrexroth.com/en/xc/home/index	Trust: 0.3

sources: CNVD: CNVD-2016-04594 // BID: 91572 // JVNDB: JVNDB-2016-003493 // CNNVD: CNNVD-201607-024 // NVD: CVE-2016-4507

CREDITS

Maxim Rupp

Trust: 0.9

sources: BID: 91572 // CNNVD: CNNVD-201607-024

SOURCES

db:	IVD	id:	b66fed74-e827-4d0e-92fd-d480e595c9f6
db:	CNVD	id:	CNVD-2016-04594
db:	BID	id:	91572
db:	JVNDB	id:	JVNDB-2016-003493
db:	CNNVD	id:	CNNVD-201607-024
db:	NVD	id:	CVE-2016-4507

LAST UPDATE DATE

2025-04-12T23:04:13.472000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-04594	date:	2016-07-07T00:00:00
db:	BID	id:	91572	date:	2016-07-05T00:00:00
db:	JVNDB	id:	JVNDB-2016-003493	date:	2016-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201607-024	date:	2022-10-08T00:00:00
db:	NVD	id:	CVE-2016-4507	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	b66fed74-e827-4d0e-92fd-d480e595c9f6	date:	2016-07-07T00:00:00
db:	CNVD	id:	CNVD-2016-04594	date:	2016-07-07T00:00:00
db:	BID	id:	91572	date:	2016-07-05T00:00:00
db:	JVNDB	id:	JVNDB-2016-003493	date:	2016-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201607-024	date:	2016-07-06T00:00:00
db:	NVD	id:	CVE-2016-4507	date:	2016-07-06T14:59:02.503