Details of VAR-201710-0803

ID

VAR-201710-0803

CVE

CVE-2017-14013

TITLE

ProMinent MultiFLEX M10a Controller of Web Vulnerabilities related to authorization, authority, and access control in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-009519

DESCRIPTION

A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user. ProMinent MultiFLEX M10a Controller of Web The interface contains vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The MultiFLEX M10a Controller is a water treatment controller. MultiFLEX M10a Controller is prone to the following multiple security vulnerabilities: 1. Multiple security-bypass vulnerabilities 2. An information-disclosure vulnerability 3. A cross-site request-forgery vulnerability Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gaining unauthorized access to the affected device and obtaining sensitive information; other attacks are also possible. Web interface is one of the web management interfaces

Trust: 2.7

sources: NVD: CVE-2017-14013 // JVNDB: JVNDB-2017-009519 // CNVD: CNVD-2017-30002 // BID: 101259 // IVD: e8e83259-efec-400e-a94f-f37c692d2458 // VULHUB: VHN-104693

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e8e83259-efec-400e-a94f-f37c692d2458 // CNVD: CNVD-2017-30002

AFFECTED PRODUCTS

vendor:	prominent	model:	multiflex m10a controller	scope:	-	version:	-	Trust: 2.0
vendor:	prominent	model:	multiflex m10a controller	scope:	eq	version:	*	Trust: 1.0
vendor:	prominent	model:	multiflex m10a controller	scope:	eq	version:	0	Trust: 0.3
vendor:	multiflex m10a controller	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e8e83259-efec-400e-a94f-f37c692d2458 // CNVD: CNVD-2017-30002 // BID: 101259 // JVNDB: JVNDB-2017-009519 // CNNVD: CNNVD-201710-579 // NVD: CVE-2017-14013

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-14013
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-14013
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-30002
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201710-579
value:	MEDIUM
Trust: 0.6
IVD:	e8e83259-efec-400e-a94f-f37c692d2458
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-104693
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-14013
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-30002
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e8e83259-efec-400e-a94f-f37c692d2458
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-104693
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-14013
baseSeverity:	MEDIUM
baseScore:	5.6
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: IVD: e8e83259-efec-400e-a94f-f37c692d2458 // CNVD: CNVD-2017-30002 // VULHUB: VHN-104693 // JVNDB: JVNDB-2017-009519 // CNNVD: CNNVD-201710-579 // NVD: CVE-2017-14013

PROBLEMTYPE DATA

problemtype:	CWE-669	Trust: 1.1
problemtype:	CWE-602	Trust: 1.0
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-104693 // JVNDB: JVNDB-2017-009519 // NVD: CVE-2017-14013

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-579

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201710-579

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009519

PATCH

title:

Top Page

url:

https://www.prominent.com/en/

Trust: 0.8

sources: JVNDB: JVNDB-2017-009519

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14013	Trust: 3.6
db:	ICS CERT	id:	ICSA-17-285-01	Trust: 3.4
db:	BID	id:	101259	Trust: 2.0
db:	CNNVD	id:	CNNVD-201710-579	Trust: 0.9
db:	CNVD	id:	CNVD-2017-30002	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-009519	Trust: 0.8
db:	IVD	id:	E8E83259-EFEC-400E-A94F-F37C692D2458	Trust: 0.2
db:	VULHUB	id:	VHN-104693	Trust: 0.1

sources: IVD: e8e83259-efec-400e-a94f-f37c692d2458 // CNVD: CNVD-2017-30002 // VULHUB: VHN-104693 // BID: 101259 // JVNDB: JVNDB-2017-009519 // CNNVD: CNNVD-201710-579 // NVD: CVE-2017-14013

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-285-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/101259	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14013	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14013	Trust: 0.8
url:	https://www.prominent.us/	Trust: 0.3

sources: CNVD: CNVD-2017-30002 // VULHUB: VHN-104693 // BID: 101259 // JVNDB: JVNDB-2017-009519 // CNNVD: CNNVD-201710-579 // NVD: CVE-2017-14013

CREDITS

Maxim Rupp

Trust: 0.3

sources: BID: 101259

SOURCES

db:	IVD	id:	e8e83259-efec-400e-a94f-f37c692d2458
db:	CNVD	id:	CNVD-2017-30002
db:	VULHUB	id:	VHN-104693
db:	BID	id:	101259
db:	JVNDB	id:	JVNDB-2017-009519
db:	CNNVD	id:	CNNVD-201710-579
db:	NVD	id:	CVE-2017-14013

LAST UPDATE DATE

2025-04-20T23:15:53.235000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-30002	date:	2017-10-13T00:00:00
db:	VULHUB	id:	VHN-104693	date:	2019-10-09T00:00:00
db:	BID	id:	101259	date:	2017-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009519	date:	2017-11-15T00:00:00
db:	CNNVD	id:	CNNVD-201710-579	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-14013	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	e8e83259-efec-400e-a94f-f37c692d2458	date:	2017-10-13T00:00:00
db:	CNVD	id:	CNVD-2017-30002	date:	2017-10-13T00:00:00
db:	VULHUB	id:	VHN-104693	date:	2017-10-17T00:00:00
db:	BID	id:	101259	date:	2017-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009519	date:	2017-11-15T00:00:00
db:	CNNVD	id:	CNNVD-201710-579	date:	2017-10-27T00:00:00
db:	NVD	id:	CVE-2017-14013	date:	2017-10-17T22:29:00.400