CVE-2019-3910 - Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interfa

CVE-2019-3910

Summary

Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.

References

https://www.tenable.com/security/research/tra-2019-02

Vulnerable Configurations

cpe:2.3:o:crestron:airmedia_am-100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:crestron:airmedia_am-100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:crestron:airmedia_am-100:-:*:*:*:*:*:*:*
cpe:2.3:h:crestron:airmedia_am-100:-:*:*:*:*:*:*:*

CVSS

Base:	8.5 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:C

refmap via4

misc

https://www.tenable.com/security/research/tra-2019-02

Last major update

24-08-2020 - 17:37

Published

18-01-2019 - 18:29

Last modified

24-08-2020 - 17:37