Details of VAR-201710-0795

ID

VAR-201710-0795

CVE

CVE-2017-13998

TITLE

LOYTEC LVIS-3ME Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2017-008627

DESCRIPTION

An Insufficiently Protected Credentials issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not sufficiently protect sensitive information from unauthorized access. LOYTEC LVIS-3ME Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LOYTEC LVIS-3ME is prone to the following security vulnerabilities: : 1. A directory-traversal vulnerability 2. An insufficient-entropy vulnerability 3. A cross-site scripting vulnerability 4. An information-disclosure vulnerability An attacker may leverage these issues to execute script code in the browser of an unsuspecting user in the context of the affected site, disclose sensitive information, execute arbitrary code within the context of the affected system or use specially crafted requests with directory-traversal sequences ('../') to read arbitrary files in the context of the application. LOYTEC LVIS-3ME is an HMI touch panel produced by LOYTEC in Germany

Trust: 1.98

sources: NVD: CVE-2017-13998 // JVNDB: JVNDB-2017-008627 // BID: 100847 // VULHUB: VHN-104676

AFFECTED PRODUCTS

vendor:	loytec	model:	lvis-3me	scope:	lte	version:	6.1.1	Trust: 1.0
vendor:	loytec	model:	lvis-3me	scope:	lt	version:	6.2.0	Trust: 0.8
vendor:	loytec	model:	lvis-3me	scope:	eq	version:	6.1.1	Trust: 0.6
vendor:	loytec	model:	lvis-3me	scope:	eq	version:	0	Trust: 0.3
vendor:	loytec	model:	lvis-3me	scope:	ne	version:	6.2	Trust: 0.3

sources: BID: 100847 // JVNDB: JVNDB-2017-008627 // CNNVD: CNNVD-201709-871 // NVD: CVE-2017-13998

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-13998
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-13998
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201709-871
value:	HIGH
Trust: 0.6
VULHUB:	VHN-104676
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-13998
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-104676
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-13998
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-104676 // JVNDB: JVNDB-2017-008627 // CNNVD: CNNVD-201709-871 // NVD: CVE-2017-13998

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.1
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-104676 // JVNDB: JVNDB-2017-008627 // NVD: CVE-2017-13998

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-871

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201709-871

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-008627

PATCH

title:	トップページ	url:	https://www.loytec.com/jp/	Trust: 0.8
title:	LOYTEC LVIS-3ME Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74976	Trust: 0.6

sources: JVNDB: JVNDB-2017-008627 // CNNVD: CNNVD-201709-871

EXTERNAL IDS

db:	NVD	id:	CVE-2017-13998	Trust: 2.8
db:	ICS CERT	id:	ICSA-17-257-01	Trust: 2.8
db:	BID	id:	100847	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-008627	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-871	Trust: 0.7
db:	VULHUB	id:	VHN-104676	Trust: 0.1

sources: VULHUB: VHN-104676 // BID: 100847 // JVNDB: JVNDB-2017-008627 // CNNVD: CNNVD-201709-871 // NVD: CVE-2017-13998

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-257-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/100847	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-13998	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-13998	Trust: 0.8
url:	https://www.loytec.com/	Trust: 0.3

sources: VULHUB: VHN-104676 // BID: 100847 // JVNDB: JVNDB-2017-008627 // CNNVD: CNNVD-201709-871 // NVD: CVE-2017-13998

CREDITS

Davy Douhine of RandoriSec

Trust: 0.9

sources: BID: 100847 // CNNVD: CNNVD-201709-871

SOURCES

db:	VULHUB	id:	VHN-104676
db:	BID	id:	100847
db:	JVNDB	id:	JVNDB-2017-008627
db:	CNNVD	id:	CNNVD-201709-871
db:	NVD	id:	CVE-2017-13998

LAST UPDATE DATE

2025-04-20T23:22:09.994000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-104676	date:	2019-10-09T00:00:00
db:	BID	id:	100847	date:	2017-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-008627	date:	2017-10-25T00:00:00
db:	CNNVD	id:	CNNVD-201709-871	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-13998	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-104676	date:	2017-10-05T00:00:00
db:	BID	id:	100847	date:	2017-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-008627	date:	2017-10-25T00:00:00
db:	CNNVD	id:	CNNVD-201709-871	date:	2017-09-21T00:00:00
db:	NVD	id:	CVE-2017-13998	date:	2017-10-05T21:29:00.397