Sign-up

ID

VAR-201710-0801


CVE

CVE-2017-14009


TITLE

ProMinent MultiFLEX M10a Controller of Web Information disclosure vulnerability in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-009517

DESCRIPTION

An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities: 1. Multiple security-bypass vulnerabilities 2. An information-disclosure vulnerability 3. A cross-site request-forgery vulnerability Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces

Trust: 2.7

sources: NVD: CVE-2017-14009 // JVNDB: JVNDB-2017-009517 // CNVD: CNVD-2017-29999 // BID: 101259 // IVD: 50a176c5-9317-422e-a80b-a25d14998322 // VULHUB: VHN-104688

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 50a176c5-9317-422e-a80b-a25d14998322 // CNVD: CNVD-2017-29999

AFFECTED PRODUCTS

vendor:prominentmodel:multiflex m10a controllerscope: - version: -

Trust: 2.0

vendor:prominentmodel:multiflex m10a controllerscope:eqversion:*

Trust: 1.0

vendor:prominentmodel:multiflex m10a controllerscope:eqversion:0

Trust: 0.3

vendor:multiflex m10a controllermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 50a176c5-9317-422e-a80b-a25d14998322 // CNVD: CNVD-2017-29999 // BID: 101259 // JVNDB: JVNDB-2017-009517 // CNNVD: CNNVD-201710-581 // NVD: CVE-2017-14009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14009
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-14009
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-29999
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201710-581
value: MEDIUM

Trust: 0.6

IVD: 50a176c5-9317-422e-a80b-a25d14998322
value: MEDIUM

Trust: 0.2

VULHUB: VHN-104688
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-14009
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-29999
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 50a176c5-9317-422e-a80b-a25d14998322
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-104688
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14009
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: 50a176c5-9317-422e-a80b-a25d14998322 // CNVD: CNVD-2017-29999 // VULHUB: VHN-104688 // JVNDB: JVNDB-2017-009517 // CNNVD: CNNVD-201710-581 // NVD: CVE-2017-14009

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

problemtype:CWE-319

Trust: 1.1

sources: VULHUB: VHN-104688 // JVNDB: JVNDB-2017-009517 // NVD: CVE-2017-14009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-581

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201710-581

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009517

PATCH
title:Top Pageurl:https://www.prominent.com/en/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-009517

EXTERNAL IDS
db:NVDid:CVE-2017-14009
Trust: 3.6
db:ICS CERTid:ICSA-17-285-01
Trust: 3.4
db:BIDid:101259
Trust: 2.0
db:CNNVDid:CNNVD-201710-581
Trust: 0.9
db:CNVDid:CNVD-2017-29999
Trust: 0.8
db:JVNDBid:JVNDB-2017-009517
Trust: 0.8
db:IVDid:50A176C5-9317-422E-A80B-A25D14998322
Trust: 0.2
db:VULHUBid:VHN-104688
Trust: 0.1
sources:
            
            
            IVD: 50a176c5-9317-422e-a80b-a25d14998322 // 
            
            
            
            CNVD: CNVD-2017-29999 // 
            
            
            
            VULHUB: VHN-104688 // 
            
            
            
            BID: 101259 // 
            
            
            
            JVNDB: JVNDB-2017-009517 // 
            
            
            
            CNNVD: CNNVD-201710-581 // 
            
            
            
            NVD: CVE-2017-14009

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-285-01
Trust: 3.4
url:http://www.securityfocus.com/bid/101259
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14009
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14009
Trust: 0.8
url:https://www.prominent.us/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-29999 // 
            
            
            
            VULHUB: VHN-104688 // 
            
            
            
            BID: 101259 // 
            
            
            
            JVNDB: JVNDB-2017-009517 // 
            
            
            
            CNNVD: CNNVD-201710-581 // 
            
            
            
            NVD: CVE-2017-14009

CREDITS
Maxim Rupp
Trust: 0.3
sources:
            
            
            BID: 101259

SOURCES
db:IVDid:50a176c5-9317-422e-a80b-a25d14998322
db:CNVDid:CNVD-2017-29999
db:VULHUBid:VHN-104688
db:BIDid:101259
db:JVNDBid:JVNDB-2017-009517
db:CNNVDid:CNNVD-201710-581
db:NVDid:CVE-2017-14009

LAST UPDATE DATE
2025-04-20T23:15:53.314000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-29999date:2017-10-13T00:00:00
db:VULHUBid:VHN-104688date:2019-10-09T00:00:00
db:BIDid:101259date:2017-10-13T00:00:00
db:JVNDBid:JVNDB-2017-009517date:2017-11-15T00:00:00
db:CNNVDid:CNNVD-201710-581date:2019-10-17T00:00:00
db:NVDid:CVE-2017-14009date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:50a176c5-9317-422e-a80b-a25d14998322date:2017-10-13T00:00:00
db:CNVDid:CNVD-2017-29999date:2017-10-13T00:00:00
db:VULHUBid:VHN-104688date:2017-10-17T00:00:00
db:BIDid:101259date:2017-10-13T00:00:00
db:JVNDBid:JVNDB-2017-009517date:2017-11-15T00:00:00
db:CNNVDid:CNNVD-201710-581date:2017-10-27T00:00:00
db:NVDid:CVE-2017-14009date:2017-10-17T22:29:00.323