Sign-up

ID

VAR-201906-0900


CVE

CVE-2018-18879


TITLE

Columbia Weather Systems Weather MicroServer Code Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-07787 // CNNVD: CNNVD-201903-642

DESCRIPTION

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php. Columbia Weather MicroServer The firmware contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ColumbiaWeatherSystemsWeatherMicroServer is a weather monitoring device from Columbia WeatherSystems, USA. A code injection vulnerability exists in ColumbiaWeatherSystemsWeatherMicroServerMS_2.6.9900 and earlier. A remote attacker could exploit the vulnerability to execute code. A directory traversal vulnerability 2. Multiple cross-site scripting vulnerabilities 3. An authentication bypass vulnerability 4. A denial-of-service vulnerability An attacker may leverage these issues to view arbitrary files within the context of the server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information or cause denial-of-service condition. This may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2018-18879 // JVNDB: JVNDB-2018-015642 // CNVD: CNVD-2019-07787 // BID: 107495 // VULHUB: VHN-129482

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-07787

AFFECTED PRODUCTS

vendor:columbiaweathermodel:weather microserverscope:eqversion:ms_2.6.9900

Trust: 1.0

vendor:columbia weathermodel:microserverscope:eqversion:ms_2.6.9900

Trust: 0.8

vendor:columbiamodel:weather systems columbia weather systems weather microserver <=ms 2.6.9900scope: - version: -

Trust: 0.6

vendor:columbiamodel:weather systems weather microserver ms 2.6.9900scope: - version: -

Trust: 0.3

vendor:columbiamodel:weather systems weather microserver ms 2.7.9973scope:neversion: -

Trust: 0.3

sources: CNVD: CNVD-2019-07787 // BID: 107495 // JVNDB: JVNDB-2018-015642 // NVD: CVE-2018-18879

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-18879
value: HIGH

Trust: 1.0

NVD: CVE-2018-18879
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-07787
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201903-642
value: HIGH

Trust: 0.6

VULHUB: VHN-129482
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-18879
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-07787
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-129482
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-18879
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-07787 // VULHUB: VHN-129482 // JVNDB: JVNDB-2018-015642 // CNNVD: CNNVD-201903-642 // NVD: CVE-2018-18879

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-129482 // JVNDB: JVNDB-2018-015642 // NVD: CVE-2018-18879

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-642

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-642

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015642

PATCH
title:Weather MicroServerurl:https://columbiaweather.com/products/weather-monitoring/microserver/
Trust: 0.8
title:ColumbiaWeatherSystemsWeatherMicroServer code injection vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/156833
Trust: 0.6
title:Columbia Weather Systems Weather MicroServer Fixes for code injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90202
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-07787 // 
            
            
            
            JVNDB: JVNDB-2018-015642 // 
            
            
            
            CNNVD: CNNVD-201903-642

EXTERNAL IDS
db:ICS CERTid:ICSA-19-078-02
Trust: 3.4
db:NVDid:CVE-2018-18879
Trust: 3.4
db:BIDid:107495
Trust: 0.9
db:JVNDBid:JVNDB-2018-015642
Trust: 0.8
db:CNNVDid:CNNVD-201903-642
Trust: 0.7
db:CNVDid:CNVD-2019-07787
Trust: 0.6
db:AUSCERTid:ESB-2019.0903
Trust: 0.6
db:VULHUBid:VHN-129482
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-07787 // 
            
            
            
            VULHUB: VHN-129482 // 
            
            
            
            BID: 107495 // 
            
            
            
            JVNDB: JVNDB-2018-015642 // 
            
            
            
            CNNVD: CNNVD-201903-642 // 
            
            
            
            NVD: CVE-2018-18879

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-078-02
Trust: 3.4
url:https://applied-risk.com/labs/advisories
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-18879
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18879
Trust: 0.8
url:https://www.auscert.org.au/bulletins/77442
Trust: 0.6
url:http://www.securityfocus.com/bid/107495
Trust: 0.6
url:https://columbiaweather.com/
Trust: 0.3
url:https://columbiaweather.com/products/weather-monitoring/microserver/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2019-07787 // 
            
            
            
            VULHUB: VHN-129482 // 
            
            
            
            BID: 107495 // 
            
            
            
            JVNDB: JVNDB-2018-015642 // 
            
            
            
            CNNVD: CNNVD-201903-642 // 
            
            
            
            NVD: CVE-2018-18879

CREDITS
John Elder and Tom Westenberg of Applied Risk
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201903-642

SOURCES
db:CNVDid:CNVD-2019-07787
db:VULHUBid:VHN-129482
db:BIDid:107495
db:JVNDBid:JVNDB-2018-015642
db:CNNVDid:CNNVD-201903-642
db:NVDid:CVE-2018-18879

LAST UPDATE DATE
2024-11-23T21:59:50.846000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-07787date:2019-03-22T00:00:00
db:VULHUBid:VHN-129482date:2019-06-18T00:00:00
db:BIDid:107495date:2019-03-19T00:00:00
db:JVNDBid:JVNDB-2018-015642date:2019-06-21T00:00:00
db:CNNVDid:CNNVD-201903-642date:2019-06-19T00:00:00
db:NVDid:CVE-2018-18879date:2024-11-21T03:56:48.587

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-07787date:2019-03-22T00:00:00
db:VULHUBid:VHN-129482date:2019-06-18T00:00:00
db:BIDid:107495date:2019-03-19T00:00:00
db:JVNDBid:JVNDB-2018-015642date:2019-06-21T00:00:00
db:CNNVDid:CNNVD-201903-642date:2019-03-19T00:00:00
db:NVDid:CVE-2018-18879date:2019-06-18T14:15:11.243