Details of VAR-201709-1234

ID

VAR-201709-1234

CVE

CVE-2017-50137

TITLE

Moxa SoftCMS Live Viewer SQL Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2017-24361

DESCRIPTION

MoxaSoftCMSLiveViewer is a video surveillance software designed for industrial automation systems. A SQL injection vulnerability exists in MoxaSoftCMSLiveViewer 1.6 and earlier. An attacker exploits a vulnerability to access SoftCMS without knowing the user's password. Moxa SoftCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to Moxa SoftCMS 1.7 are vulnerable

Trust: 0.99

sources: CNVD: CNVD-2017-24361 // BID: 100557 // IVD: 4ab6ea79-025b-4a8d-88f1-c490b4bc05b7

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 4ab6ea79-025b-4a8d-88f1-c490b4bc05b7 // CNVD: CNVD-2017-24361

AFFECTED PRODUCTS

vendor:	moxa	model:	softcms live viewer	scope:	lte	version:	<=1.6	Trust: 0.8
vendor:	moxa	model:	softcms	scope:	eq	version:	1.6	Trust: 0.3
vendor:	moxa	model:	softcms	scope:	eq	version:	1.5	Trust: 0.3
vendor:	moxa	model:	softcms	scope:	eq	version:	1.4	Trust: 0.3
vendor:	moxa	model:	softcms	scope:	eq	version:	1.3	Trust: 0.3
vendor:	moxa	model:	softcms	scope:	eq	version:	1.2	Trust: 0.3
vendor:	moxa	model:	softcms	scope:	ne	version:	1.7	Trust: 0.3

sources: IVD: 4ab6ea79-025b-4a8d-88f1-c490b4bc05b7 // CNVD: CNVD-2017-24361 // BID: 100557

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2017-24361
value:	HIGH
Trust: 0.6
IVD:	4ab6ea79-025b-4a8d-88f1-c490b4bc05b7
value:	HIGH
Trust: 0.2

CNVD:	CNVD-2017-24361
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	4ab6ea79-025b-4a8d-88f1-c490b4bc05b7
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 4ab6ea79-025b-4a8d-88f1-c490b4bc05b7 // CNVD: CNVD-2017-24361

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-077

TYPE

SQL injection

Trust: 0.8

sources: IVD: 4ab6ea79-025b-4a8d-88f1-c490b4bc05b7 // CNNVD: CNNVD-201709-077

PATCH

title:	MoxaSoftCMSLiveViewerSQL Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchinfo/show/101383	Trust: 0.6
title:	Moxa SoftCMS SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=74446	Trust: 0.6

sources: CNVD: CNVD-2017-24361 // CNNVD: CNNVD-201709-077

EXTERNAL IDS

db:	NVD	id:	CVE-2017-50137	Trust: 1.7
db:	ICS CERT	id:	ICSA-17-243-05	Trust: 0.9
db:	BID	id:	100557	Trust: 0.9
db:	CNVD	id:	CNVD-2017-24361	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-077	Trust: 0.8
db:	IVD	id:	4AB6EA79-025B-4A8D-88F1-C490B4BC05B7	Trust: 0.2

sources: IVD: 4ab6ea79-025b-4a8d-88f1-c490b4bc05b7 // CNVD: CNVD-2017-24361 // BID: 100557 // CNNVD: CNNVD-201709-077

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-243-05	Trust: 0.9
url:	http://www.securityfocus.com/bid/100557	Trust: 0.6
url:	http://www.moxa.com/product/softcms.htm	Trust: 0.3

sources: CNVD: CNVD-2017-24361 // BID: 100557 // CNNVD: CNNVD-201709-077

CREDITS

Ziqiang Gu from Huawei WeiRan Labs.

Trust: 0.9

sources: BID: 100557 // CNNVD: CNNVD-201709-077

SOURCES

db:	IVD	id:	4ab6ea79-025b-4a8d-88f1-c490b4bc05b7
db:	CNVD	id:	CNVD-2017-24361
db:	BID	id:	100557
db:	CNNVD	id:	CNNVD-201709-077

LAST UPDATE DATE

2022-05-04T09:11:15.549000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-24361	date:	2017-09-01T00:00:00
db:	BID	id:	100557	date:	2017-08-31T00:00:00
db:	CNNVD	id:	CNNVD-201709-077	date:	2017-09-05T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	4ab6ea79-025b-4a8d-88f1-c490b4bc05b7	date:	2017-09-01T00:00:00
db:	CNVD	id:	CNVD-2017-24361	date:	2017-09-01T00:00:00
db:	BID	id:	100557	date:	2017-08-31T00:00:00
db:	CNNVD	id:	CNNVD-201709-077	date:	2017-08-31T00:00:00