Sign-up

ID

VAR-201702-0416


CVE

CVE-2016-5782


TITLE

Sauter NovaWeb Web HMI Authentication Bypass Vulnerability

Trust: 0.8

sources: IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // CNVD: CNVD-2016-12553

DESCRIPTION

An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate 100, LGate 101, LGate 120, and LGate 320. Locus Energy meters use a PHP script to manage the energy meter parameters for voltage monitoring and network configuration. The PHP code does not properly validate information that is sent in the POST request. Sauter is a leading provider of construction, room automation, energy management and equipment management. The Sauter NovaWeb Web HMI has a certification bypass vulnerability that an attacker can use to bypass security restrictions and perform unauthorized operations. An attacker may leverage this issue to inject and execute arbitrary commands. Sauter NovaWeb Web HMI is prone to an authentication-bypass vulnerability. Attackers can exploit this issue to gain unauthorized access and perform unauthorized actions. are the Web-based data acquisition systems of Locus Energy Corporation in the United States

Trust: 2.97

sources: NVD: CVE-2016-5782 // JVNDB: JVNDB-2016-007973 // CNVD: CNVD-2016-12553 // BID: 94698 // BID: 94782 // IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // VULHUB: VHN-94601

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // CNVD: CNVD-2016-12553

AFFECTED PRODUCTS

vendor:locusenergymodel:lgatescope:eqversion: -

Trust: 1.6

vendor:locus energymodel:lgate 100scope: - version: -

Trust: 0.8

vendor:locus energymodel:lgate 101scope: - version: -

Trust: 0.8

vendor:locus energymodel:lgate 120scope: - version: -

Trust: 0.8

vendor:locus energymodel:lgate 320scope: - version: -

Trust: 0.8

vendor:locus energymodel:lgate 50scope: - version: -

Trust: 0.8

vendor:locus energymodel:lgatescope:ltversion:1.05h

Trust: 0.8

vendor:sautermodel:novaweb web hmiscope: - version: -

Trust: 0.6

vendor:locusmodel:energy lgatescope:eqversion:500

Trust: 0.3

vendor:locusmodel:energy lgatescope:eqversion:3200

Trust: 0.3

vendor:locusmodel:energy lgatescope:eqversion:1200

Trust: 0.3

vendor:locusmodel:energy lgatescope:eqversion:1010

Trust: 0.3

vendor:locusmodel:energy lgatescope:eqversion:1000

Trust: 0.3

vendor:locusmodel:energy lgatescope:eqversion:0

Trust: 0.3

vendor:locusmodel:energy lgate 1.05hscope:neversion: -

Trust: 0.3

vendor:sautermodel:novaweb web hmiscope:eqversion:0

Trust: 0.3

vendor:sautermodel:novaweb web hmiscope:eqversion:*

Trust: 0.2

sources: IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // CNVD: CNVD-2016-12553 // BID: 94698 // BID: 94782 // JVNDB: JVNDB-2016-007973 // CNNVD: CNNVD-201612-182 // NVD: CVE-2016-5782

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5782
value: HIGH

Trust: 1.0

NVD: CVE-2016-5782
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-12553
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201612-182
value: HIGH

Trust: 0.6

IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd
value: HIGH

Trust: 0.2

VULHUB: VHN-94601
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-5782
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-12553
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-94601
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5782
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.0

Trust: 1.8

sources: IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // CNVD: CNVD-2016-12553 // VULHUB: VHN-94601 // JVNDB: JVNDB-2016-007973 // CNNVD: CNNVD-201612-182 // NVD: CVE-2016-5782

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-94601 // JVNDB: JVNDB-2016-007973 // NVD: CVE-2016-5782

THREAT TYPE

network

Trust: 0.6

sources: BID: 94698 // BID: 94782

TYPE

Input validation error

Trust: 1.1

sources: IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // BID: 94698 // CNNVD: CNNVD-201612-182

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007973

PATCH
title:Top Pageurl:http://locusenergy.com/
Trust: 0.8
title:Multiple Locus Energy LGate Product Command Injection Vulnerability Fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66223
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-007973 // 
            
            
            
            CNNVD: CNNVD-201612-182

EXTERNAL IDS
db:NVDid:CVE-2016-5782
Trust: 3.3
db:BIDid:94782
Trust: 2.6
db:ICS CERTid:ICSA-16-231-01
Trust: 2.2
db:ICS CERTid:ICSA-16-343-02
Trust: 1.5
db:BIDid:94698
Trust: 1.4
db:CNNVDid:CNNVD-201612-182
Trust: 0.9
db:CNVDid:CNVD-2016-12553
Trust: 0.8
db:JVNDBid:JVNDB-2016-007973
Trust: 0.8
db:IVDid:3927BA3A-7291-4EFE-8EB4-5C278DE9FCFD
Trust: 0.2
db:VULHUBid:VHN-94601
Trust: 0.1
sources:
            
            
            IVD: 3927ba3a-7291-4efe-8eb4-5c278de9fcfd // 
            
            
            
            CNVD: CNVD-2016-12553 // 
            
            
            
            VULHUB: VHN-94601 // 
            
            
            
            BID: 94698 // 
            
            
            
            BID: 94782 // 
            
            
            
            JVNDB: JVNDB-2016-007973 // 
            
            
            
            CNNVD: CNNVD-201612-182 // 
            
            
            
            NVD: CVE-2016-5782

REFERENCES
url:http://www.securityfocus.com/bid/94782
Trust: 2.3
url:https://ics-cert.us-cert.gov/advisories/icsa-16-231-01-0
Trust: 2.2
url:https://ics-cert.us-cert.gov/advisories/icsa-16-343-02
Trust: 1.5
url:http://www.securityfocus.com/bid/94698
Trust: 1.1
url:http://www.sauter-controls.com/en.html
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5782
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-5782
Trust: 0.8
url:http://locusenergy.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-12553 // 
            
            
            
            VULHUB: VHN-94601 // 
            
            
            
            BID: 94698 // 
            
            
            
            BID: 94782 // 
            
            
            
            JVNDB: JVNDB-2016-007973 // 
            
            
            
            CNNVD: CNNVD-201612-182 // 
            
            
            
            NVD: CVE-2016-5782

CREDITS
Maxim Rupp,Daniel Reich
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201612-182

SOURCES
db:IVDid:3927ba3a-7291-4efe-8eb4-5c278de9fcfd
db:CNVDid:CNVD-2016-12553
db:VULHUBid:VHN-94601
db:BIDid:94698
db:BIDid:94782
db:JVNDBid:JVNDB-2016-007973
db:CNNVDid:CNNVD-201612-182
db:NVDid:CVE-2016-5782

LAST UPDATE DATE
2025-04-20T23:23:53.132000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-12553date:2016-12-19T00:00:00
db:VULHUBid:VHN-94601date:2017-03-14T00:00:00
db:BIDid:94698date:2016-12-20T01:08:00
db:BIDid:94782date:2019-04-12T21:00:00
db:JVNDBid:JVNDB-2016-007973date:2017-04-04T00:00:00
db:CNNVDid:CNNVD-201612-182date:2019-04-19T00:00:00
db:NVDid:CVE-2016-5782date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:3927ba3a-7291-4efe-8eb4-5c278de9fcfddate:2016-12-19T00:00:00
db:CNVDid:CNVD-2016-12553date:2016-12-19T00:00:00
db:VULHUBid:VHN-94601date:2017-02-13T00:00:00
db:BIDid:94698date:2016-12-06T00:00:00
db:BIDid:94782date:2016-12-08T00:00:00
db:JVNDBid:JVNDB-2016-007973date:2017-04-04T00:00:00
db:CNNVDid:CNNVD-201612-182date:2016-12-08T00:00:00
db:NVDid:CVE-2016-5782date:2017-02-13T21:59:00.190