ID CVE-2016-2296
Summary Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
References
Vulnerable Configurations
  • cpe:2.3:a:meteocontrol:web%27log_pro_unlimited
    cpe:2.3:a:meteocontrol:web%27log_pro_unlimited
  • cpe:2.3:a:meteocontrol:web%27log_pro
    cpe:2.3:a:meteocontrol:web%27log_pro
  • cpe:2.3:a:meteocontrol:web%27log_light
    cpe:2.3:a:meteocontrol:web%27log_light
  • cpe:2.3:a:meteocontrol:web%27log_basic_100
    cpe:2.3:a:meteocontrol:web%27log_basic_100
CVSS
Base: 7.5 (as of 16-05-2016 - 12:28)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Meteocontrol WEB’log - Admin Password Disclosure. CVE-2016-2296. Webapps exploits for multiple platform
file exploits/multiple/webapps/39822.rb
id EDB-ID:39822
last seen 2016-05-17
modified 2016-05-17
platform multiple
port
published 2016-05-17
reporter Karn Ganeshen
source https://www.exploit-db.com/download/39822/
title Meteocontrol WEB’log - Admin Password Disclosure
type webapps
metasploit via4
description This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances (software version < May 2016 release) to extract Administrator password for the device management portal.
id MSF:AUXILIARY/SCANNER/HTTP/METEOCONTROL_WEBLOG_EXTRACTADMIN
last seen 2018-08-29
modified 2017-07-24
published 2017-01-06
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb
title Meteocontrol WEBlog Password Extractor
packetstorm via4
data source https://packetstormsecurity.com/files/download/137099/meteocontrol-extract.rb.txt
id PACKETSTORM:137099
last seen 2016-12-05
published 2016-05-17
reporter Karn Ganeshen
source https://packetstormsecurity.com/files/137099/Meteocontrol-WEBLog-Password-Extractor.html
title Meteocontrol WEBLog Password Extractor
refmap via4
exploit-db 39822
fulldisc 20160517 [ICS] Meteocontrol WEB'log Multiple Vulnerabilities
misc https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
Last major update 29-11-2016 - 22:04
Published 14-05-2016 - 12:59
Last modified 06-09-2017 - 21:29
Back to Top