Details of VAR-201703-0231

ID

VAR-201703-0231

CVE

CVE-2016-4504

TITLE

plural Meteocontrol WEB'log Product cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-008063

DESCRIPTION

A Cross-Site Request Forgery issue was discovered in Meteocontrol WEB'log Basic 100 all versions, Light all versions, Pro all versions, and Pro Unlimited all versions. There is no CSRF Token generated per page or per function. plural Meteocontrol WEB'log The product contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Meteocontrol WEB'log is a SCADA system from Meteocontrol, Germany, which provides different energy and power configuration management functions based on the Web using different connection (energy/industrial) equipment. A cross-site request forgery vulnerability exists in several Meteocontrol WEB'log products. A remote attacker could exploit this vulnerability to perform unauthorized operations

Trust: 2.34

sources: NVD: CVE-2016-4504 // JVNDB: JVNDB-2016-008063 // CNVD: CNVD-2016-03358 // IVD: 57149dcc-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 57149dcc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03358

AFFECTED PRODUCTS

vendor:	meteocontrol	model:	weblog	scope:	eq	version:	-	Trust: 1.6
vendor:	weblog	model:	-	scope:	eq	version:	-	Trust: 0.8
vendor:	meteocontrol	model:	web'log basic 100	scope:	-	version:	-	Trust: 0.8
vendor:	meteocontrol	model:	web'log light	scope:	-	version:	-	Trust: 0.8
vendor:	meteocontrol	model:	web'log pro	scope:	-	version:	-	Trust: 0.8
vendor:	meteocontrol	model:	web'log pro unlimited	scope:	-	version:	-	Trust: 0.8
vendor:	meteocontrol	model:	web'log	scope:	-	version:	-	Trust: 0.6

sources: IVD: 57149dcc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03358 // JVNDB: JVNDB-2016-008063 // CNNVD: CNNVD-201605-429 // NVD: CVE-2016-4504

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4504
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-4504
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-03358
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201605-429
value:	MEDIUM
Trust: 0.6
IVD:	57149dcc-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2016-4504
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-03358
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	57149dcc-2351-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2016-4504
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 57149dcc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03358 // JVNDB: JVNDB-2016-008063 // CNNVD: CNNVD-201605-429 // NVD: CVE-2016-4504

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2016-008063 // NVD: CVE-2016-4504

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-429

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201605-429

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008063

PATCH

title:	WEB'LOG	url:	https://www.meteocontrol.com/en/industrial-line/data-logger-weblogs/weblog/	Trust: 0.8
title:	Patches for multiple Meteocontrol WEB'log products across site request forgery vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/76083	Trust: 0.6
title:	Multiple Meteocontrol WEB'log Repair measures for product cross-site request forgery vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61744	Trust: 0.6

sources: CNVD: CNVD-2016-03358 // JVNDB: JVNDB-2016-008063 // CNNVD: CNNVD-201605-429

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4504	Trust: 3.2
db:	ICS CERT	id:	ICSA-16-133-01	Trust: 3.0
db:	CNVD	id:	CNVD-2016-03358	Trust: 0.8
db:	CNNVD	id:	CNNVD-201605-429	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-008063	Trust: 0.8
db:	IVD	id:	57149DCC-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 57149dcc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-03358 // JVNDB: JVNDB-2016-008063 // CNNVD: CNNVD-201605-429 // NVD: CVE-2016-4504

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-133-01	Trust: 3.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4504	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-4504	Trust: 0.8

sources: CNVD: CNVD-2016-03358 // JVNDB: JVNDB-2016-008063 // CNNVD: CNNVD-201605-429 // NVD: CVE-2016-4504

CREDITS

Karn Ganeshen

Trust: 0.6

sources: CNNVD: CNNVD-201605-429

SOURCES

db:	IVD	id:	57149dcc-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2016-03358
db:	JVNDB	id:	JVNDB-2016-008063
db:	CNNVD	id:	CNNVD-201605-429
db:	NVD	id:	CVE-2016-4504

LAST UPDATE DATE

2025-04-20T23:13:26.276000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-03358	date:	2016-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2016-008063	date:	2017-04-20T00:00:00
db:	CNNVD	id:	CNNVD-201605-429	date:	2017-03-22T00:00:00
db:	NVD	id:	CVE-2016-4504	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	57149dcc-2351-11e6-abef-000c29c66e3d	date:	2016-05-20T00:00:00
db:	CNVD	id:	CNVD-2016-03358	date:	2016-05-19T00:00:00
db:	JVNDB	id:	JVNDB-2016-008063	date:	2017-04-20T00:00:00
db:	CNNVD	id:	CNNVD-201605-429	date:	2016-05-18T00:00:00
db:	NVD	id:	CVE-2016-4504	date:	2017-03-21T16:59:00.163