Details of VAR-201902-0160

ID

VAR-201902-0160

CVE

CVE-2019-7387

TITLE

plural Systrome Cumilon ISG Path traversal vulnerability in device products

Trust: 0.8

sources: JVNDB: JVNDB-2019-001967

DESCRIPTION

A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter. Systrome Cumilon ISG-600C is an integrated security gateway device of India SYSTORME company. An attacker could exploit this vulnerability to read arbitrary files. The following products and versions are affected: Systrome Cumilon ISG-600C with firmware version 1.1-R2.1_TRUNK-20180914; ISG-600H with firmware version 1.1-R2.1_TRUNK-20180914; ISG-800W

Trust: 1.71

sources: NVD: CVE-2019-7387 // JVNDB: JVNDB-2019-001967 // VULHUB: VHN-158822

AFFECTED PRODUCTS

vendor:	systrome	model:	isg-600c	scope:	eq	version:	1.1-r2.1_trunk-20180914	Trust: 1.0
vendor:	systrome	model:	isg-600h	scope:	eq	version:	1.1-r2.1_trunk-20180914	Trust: 1.0
vendor:	systrome	model:	isg-800w	scope:	eq	version:	1.1-r2.1_trunk-20180914	Trust: 1.0
vendor:	systrome	model:	isg 600c	scope:	eq	version:	1.1-r2.1_trunk-20180914	Trust: 0.8
vendor:	systrome	model:	isg 600h	scope:	eq	version:	1.1-r2.1_trunk-20180914	Trust: 0.8
vendor:	systrome	model:	isg 800w	scope:	eq	version:	1.1-r2.1_trunk-20180914	Trust: 0.8

sources: JVNDB: JVNDB-2019-001967 // NVD: CVE-2019-7387

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-7387
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-7387
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201902-049
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158822
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-7387
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158822
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-7387
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158822 // JVNDB: JVNDB-2019-001967 // CNNVD: CNNVD-201902-049 // NVD: CVE-2019-7387

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-158822 // JVNDB: JVNDB-2019-001967 // NVD: CVE-2019-7387

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-049

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201902-049

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001967

PATCH

title:

Top Page

url:

http://systrome.com/

Trust: 0.8

sources: JVNDB: JVNDB-2019-001967

EXTERNAL IDS

db:	NVD	id:	CVE-2019-7387	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-001967	Trust: 0.8
db:	CNNVD	id:	CNNVD-201902-049	Trust: 0.7
db:	VULHUB	id:	VHN-158822	Trust: 0.1

sources: VULHUB: VHN-158822 // JVNDB: JVNDB-2019-001967 // CNNVD: CNNVD-201902-049 // NVD: CVE-2019-7387

REFERENCES

url:	https://s3curityb3ast.github.io/ksa-dev-004.md	Trust: 1.7
url:	https://www.breakthesec.com/2019/02/cve-2019-7387-authenticated-arbitrary.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-7387	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-7387	Trust: 0.8
url:	https://s3curityb3ast.github.io/ksa-dev-004.txt	Trust: 0.6
url:	https://github.com/s3curityb3ast/s3curityb3ast.github.io/blob/master/ksa-dev-004.txt	Trust: 0.6

sources: VULHUB: VHN-158822 // JVNDB: JVNDB-2019-001967 // CNNVD: CNNVD-201902-049 // NVD: CVE-2019-7387

SOURCES

db:	VULHUB	id:	VHN-158822
db:	JVNDB	id:	JVNDB-2019-001967
db:	CNNVD	id:	CNNVD-201902-049
db:	NVD	id:	CVE-2019-7387

LAST UPDATE DATE

2024-11-23T22:51:52.208000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158822	date:	2019-05-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-001967	date:	2019-03-29T00:00:00
db:	CNNVD	id:	CNNVD-201902-049	date:	2019-05-09T00:00:00
db:	NVD	id:	CVE-2019-7387	date:	2024-11-21T04:48:07.400

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158822	date:	2019-02-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-001967	date:	2019-03-29T00:00:00
db:	CNNVD	id:	CNNVD-201902-049	date:	2019-02-04T00:00:00
db:	NVD	id:	CVE-2019-7387	date:	2019-02-04T22:29:00.393