Sign-up

ID

VAR-201702-0296


CVE

CVE-2016-8347


TITLE

Kabona AB WebDatorCentral Vulnerabilities that allow brute force methods in applications

Trust: 0.8

sources: JVNDB: JVNDB-2016-007829

DESCRIPTION

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. WDC does not limit authentication attempts that may allow a brute force attack method. Kabona AB WDC is a web-based SCADA system from Kabona AB, Sweden. Kabona AB WDC is prone to multiple security vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, this may allow the attacker to steal cookie-based authentication credentials and to launch other attacks or by constructing a crafted URI and enticing a user to follow it and when an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site and to bypass the authentication mechanism

Trust: 2.61

sources: NVD: CVE-2016-8347 // JVNDB: JVNDB-2016-007829 // CNVD: CNVD-2016-09846 // BID: 93547 // IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b // CNVD: CNVD-2016-09846

AFFECTED PRODUCTS

vendor:kabona abmodel:webdatorcentralscope:eqversion: -

Trust: 1.6

vendor:kabona abmodel:webdatorcentralscope:ltversion:3.4.0

Trust: 0.8

vendor:kabonamodel:ab wdcscope:ltversion:3.4.0

Trust: 0.6

vendor:kabonamodel:ab wdcscope:eqversion:0

Trust: 0.3

vendor:kabonamodel:ab wdcscope:neversion:3.4

Trust: 0.3

vendor:webdatorcentralmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b // CNVD: CNVD-2016-09846 // BID: 93547 // JVNDB: JVNDB-2016-007829 // CNNVD: CNNVD-201610-460 // NVD: CVE-2016-8347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8347
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-8347
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2016-09846
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201610-460
value: MEDIUM

Trust: 0.6

IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-8347
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-09846
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-8347
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b // CNVD: CNVD-2016-09846 // JVNDB: JVNDB-2016-007829 // CNNVD: CNNVD-201610-460 // NVD: CVE-2016-8347

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2016-007829 // NVD: CVE-2016-8347

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-460

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201610-460

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007829

PATCH
title:WebDatorCentral (WDC)url:http://www.kabona.com/building-automation/wdc/
Trust: 0.8
title:Kabona AB WDC brute force vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/82887
Trust: 0.6
title:Kabona AB WDC Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64831
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-09846 // 
            
            
            
            JVNDB: JVNDB-2016-007829 // 
            
            
            
            CNNVD: CNNVD-201610-460

EXTERNAL IDS
db:NVDid:CVE-2016-8347
Trust: 3.5
db:ICS CERTid:ICSA-16-287-07
Trust: 2.7
db:BIDid:93547
Trust: 2.5
db:CNVDid:CNVD-2016-09846
Trust: 0.8
db:CNNVDid:CNNVD-201610-460
Trust: 0.8
db:JVNDBid:JVNDB-2016-007829
Trust: 0.8
db:IVDid:D8D77204-4F3B-4A4D-8F8F-CECD7E82EC8B
Trust: 0.2
sources:
            
            
            IVD: d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b // 
            
            
            
            CNVD: CNVD-2016-09846 // 
            
            
            
            BID: 93547 // 
            
            
            
            JVNDB: JVNDB-2016-007829 // 
            
            
            
            CNNVD: CNNVD-201610-460 // 
            
            
            
            NVD: CVE-2016-8347

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-287-07
Trust: 2.7
url:http://www.securityfocus.com/bid/93547
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8347
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8347
Trust: 0.8
url:http://www.kabona.com/building-automation/wdc/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-09846 // 
            
            
            
            BID: 93547 // 
            
            
            
            JVNDB: JVNDB-2016-007829 // 
            
            
            
            CNNVD: CNNVD-201610-460 // 
            
            
            
            NVD: CVE-2016-8347

CREDITS
Martin Jartelius and John Stock of Outpost 24.
Trust: 0.9
sources:
            
            
            BID: 93547 // 
            
            
            
            CNNVD: CNNVD-201610-460

SOURCES
db:IVDid:d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8b
db:CNVDid:CNVD-2016-09846
db:BIDid:93547
db:JVNDBid:JVNDB-2016-007829
db:CNNVDid:CNNVD-201610-460
db:NVDid:CVE-2016-8347

LAST UPDATE DATE
2025-04-20T23:13:22.844000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-09846date:2016-10-24T00:00:00
db:BIDid:93547date:2016-10-26T09:08:00
db:JVNDBid:JVNDB-2016-007829date:2017-03-23T00:00:00
db:CNNVDid:CNNVD-201610-460date:2016-10-18T00:00:00
db:NVDid:CVE-2016-8347date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:d8d77204-4f3b-4a4d-8f8f-cecd7e82ec8bdate:2016-10-24T00:00:00
db:CNVDid:CNVD-2016-09846date:2016-10-24T00:00:00
db:BIDid:93547date:2016-10-13T00:00:00
db:JVNDBid:JVNDB-2016-007829date:2017-03-23T00:00:00
db:CNNVDid:CNNVD-201610-460date:2016-10-18T00:00:00
db:NVDid:CVE-2016-8347date:2017-02-13T21:59:00.673