Details of VAR-201710-0800

ID

VAR-201710-0800

CVE

CVE-2017-14007

TITLE

ProMinent MultiFLEX M10a Controller of Web Session expiration vulnerability in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-009516

DESCRIPTION

An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities: 1. Multiple security-bypass vulnerabilities 2. An information-disclosure vulnerability 3. A cross-site request-forgery vulnerability Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces

Trust: 2.79

sources: NVD: CVE-2017-14007 // JVNDB: JVNDB-2017-009516 // CNVD: CNVD-2017-30001 // BID: 101259 // IVD: c30a1374-64fc-4167-a144-913e662fe05a // VULHUB: VHN-104686 // VULMON: CVE-2017-14007

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: c30a1374-64fc-4167-a144-913e662fe05a // CNVD: CNVD-2017-30001

AFFECTED PRODUCTS

vendor:	prominent	model:	multiflex m10a controller	scope:	-	version:	-	Trust: 2.0
vendor:	prominent	model:	multiflex m10a controller	scope:	eq	version:	*	Trust: 1.0
vendor:	prominent	model:	multiflex m10a controller	scope:	eq	version:	0	Trust: 0.3
vendor:	multiflex m10a controller	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: c30a1374-64fc-4167-a144-913e662fe05a // CNVD: CNVD-2017-30001 // BID: 101259 // JVNDB: JVNDB-2017-009516 // CNNVD: CNNVD-201710-582 // NVD: CVE-2017-14007

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-14007
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-14007
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-30001
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201710-582
value:	MEDIUM
Trust: 0.6
IVD:	c30a1374-64fc-4167-a144-913e662fe05a
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-104686
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-14007
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-14007
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-30001
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	c30a1374-64fc-4167-a144-913e662fe05a
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-104686
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-14007
baseSeverity:	MEDIUM
baseScore:	5.6
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: IVD: c30a1374-64fc-4167-a144-913e662fe05a // CNVD: CNVD-2017-30001 // VULHUB: VHN-104686 // VULMON: CVE-2017-14007 // JVNDB: JVNDB-2017-009516 // CNNVD: CNNVD-201710-582 // NVD: CVE-2017-14007

PROBLEMTYPE DATA

problemtype:

CWE-613

Trust: 1.9

sources: VULHUB: VHN-104686 // JVNDB: JVNDB-2017-009516 // NVD: CVE-2017-14007

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-582

TYPE

Code problem

Trust: 0.8

sources: IVD: c30a1374-64fc-4167-a144-913e662fe05a // CNNVD: CNNVD-201710-582

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009516

PATCH

title:

Top Page

url:

https://www.prominent.com/en/

Trust: 0.8

sources: JVNDB: JVNDB-2017-009516

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14007	Trust: 3.7
db:	ICS CERT	id:	ICSA-17-285-01	Trust: 3.5
db:	BID	id:	101259	Trust: 2.1
db:	CNNVD	id:	CNNVD-201710-582	Trust: 0.9
db:	CNVD	id:	CNVD-2017-30001	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-009516	Trust: 0.8
db:	IVD	id:	C30A1374-64FC-4167-A144-913E662FE05A	Trust: 0.2
db:	VULHUB	id:	VHN-104686	Trust: 0.1
db:	VULMON	id:	CVE-2017-14007	Trust: 0.1

sources: IVD: c30a1374-64fc-4167-a144-913e662fe05a // CNVD: CNVD-2017-30001 // VULHUB: VHN-104686 // VULMON: CVE-2017-14007 // BID: 101259 // JVNDB: JVNDB-2017-009516 // CNNVD: CNNVD-201710-582 // NVD: CVE-2017-14007

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-285-01	Trust: 3.5
url:	http://www.securityfocus.com/bid/101259	Trust: 1.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14007	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14007	Trust: 0.8
url:	https://www.prominent.us/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/613.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-30001 // VULHUB: VHN-104686 // VULMON: CVE-2017-14007 // BID: 101259 // JVNDB: JVNDB-2017-009516 // CNNVD: CNNVD-201710-582 // NVD: CVE-2017-14007

CREDITS

Maxim Rupp

Trust: 0.3

sources: BID: 101259

SOURCES

db:	IVD	id:	c30a1374-64fc-4167-a144-913e662fe05a
db:	CNVD	id:	CNVD-2017-30001
db:	VULHUB	id:	VHN-104686
db:	VULMON	id:	CVE-2017-14007
db:	BID	id:	101259
db:	JVNDB	id:	JVNDB-2017-009516
db:	CNNVD	id:	CNNVD-201710-582
db:	NVD	id:	CVE-2017-14007

LAST UPDATE DATE

2025-04-20T23:15:53.194000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-30001	date:	2017-10-13T00:00:00
db:	VULHUB	id:	VHN-104686	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2017-14007	date:	2019-09-10T00:00:00
db:	BID	id:	101259	date:	2017-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009516	date:	2017-11-15T00:00:00
db:	CNNVD	id:	CNNVD-201710-582	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-14007	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	c30a1374-64fc-4167-a144-913e662fe05a	date:	2017-10-13T00:00:00
db:	CNVD	id:	CNVD-2017-30001	date:	2017-10-13T00:00:00
db:	VULHUB	id:	VHN-104686	date:	2017-10-17T00:00:00
db:	VULMON	id:	CVE-2017-14007	date:	2017-10-17T00:00:00
db:	BID	id:	101259	date:	2017-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009516	date:	2017-11-15T00:00:00
db:	CNNVD	id:	CNNVD-201710-582	date:	2017-10-27T00:00:00
db:	NVD	id:	CVE-2017-14007	date:	2017-10-17T22:29:00.293