Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-17894 (GCVE-0-2018-17894)
Vulnerability from cvelistv5
Published
2018-10-12 14:00
Modified
2024-09-17 04:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - USE OF HARD-CODED CREDENTIALS
Summary
NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | http://www.securityfocus.com/bid/105717 | Third Party Advisory, VDB Entry | |
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 | Patch, Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105717 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 | Patch, Third Party Advisory, US Government Resource |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:01:14.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105717",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105717"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NUUO CMS",
"vendor": "NUUO",
"versions": [
{
"status": "affected",
"version": "All versions 3.1 and prior"
}
]
}
],
"datePublic": "2018-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "USE OF HARD-CODED CREDENTIALS CWE-798",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-25T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "105717",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105717"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-10-11T00:00:00",
"ID": "CVE-2018-17894",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NUUO CMS",
"version": {
"version_data": [
{
"version_value": "All versions 3.1 and prior"
}
]
}
}
]
},
"vendor_name": "NUUO"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "USE OF HARD-CODED CREDENTIALS CWE-798"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105717",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105717"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-17894",
"datePublished": "2018-10-12T14:00:00Z",
"dateReserved": "2018-10-02T00:00:00",
"dateUpdated": "2024-09-17T04:14:22.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-17894\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-10-12T14:29:00.677\",\"lastModified\":\"2024-11-21T03:55:09.397\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.\"},{\"lang\":\"es\",\"value\":\"En NUUO CMS, en todas las versiones 3.1 y anteriores, la aplicaci\u00f3n crea cuentas por defecto que tienen contrase\u00f1as embebidas, lo que podr\u00eda permitir que un atacante obtenga acceso privilegiado.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nuuo:nuuo_cms:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.1\",\"matchCriteriaId\":\"D15770E9-A56F-403C-B3EE-E3DA91E0DCAD\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/105717\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/bid/105717\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
cnvd-2018-21169
Vulnerability from cnvd
Title: NUUO CMS权限提升漏洞
Description:
NUUO CMS是NUUO公司的一套中央软件管理平台。该平台用于集中管理NVR(硬盘录像机)、IP摄像机等设备,并提供用户管理和警报管理等功能。
NUUO CMS 3.1及之前版本中存在安全漏洞,该漏洞源于程序创建的默认账户使用了硬编码的密码。攻击者可利用该漏洞获取提升的权限。
Severity: 高
Patch Name: NUUO CMS权限提升漏洞的补丁
Patch Description:
NUUO CMS是NUUO公司的一套中央软件管理平台。该平台用于集中管理NVR(硬盘录像机)、IP摄像机等设备,并提供用户管理和警报管理等功能。
NUUO CMS 3.1及之前版本中存在安全漏洞,该漏洞源于程序创建的默认账户使用了硬编码的密码。攻击者可利用该漏洞获取提升的权限。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description:
目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页: https://www.nuuo.com/
Reference: https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
Impacted products
| Name | NUUO CMS <=3.1 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-17894"
}
},
"description": "NUUO CMS\u662fNUUO\u516c\u53f8\u7684\u4e00\u5957\u4e2d\u592e\u8f6f\u4ef6\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u7528\u4e8e\u96c6\u4e2d\u7ba1\u7406NVR\uff08\u786c\u76d8\u5f55\u50cf\u673a\uff09\u3001IP\u6444\u50cf\u673a\u7b49\u8bbe\u5907\uff0c\u5e76\u63d0\u4f9b\u7528\u6237\u7ba1\u7406\u548c\u8b66\u62a5\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nNUUO CMS 3.1\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u521b\u5efa\u7684\u9ed8\u8ba4\u8d26\u6237\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u7684\u5bc6\u7801\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u63d0\u5347\u7684\u6743\u9650\u3002",
"discovererName": "Pedro Ribeiro",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.nuuo.com/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-21169",
"openTime": "2018-10-16",
"patchDescription": "NUUO CMS\u662fNUUO\u516c\u53f8\u7684\u4e00\u5957\u4e2d\u592e\u8f6f\u4ef6\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u7528\u4e8e\u96c6\u4e2d\u7ba1\u7406NVR\uff08\u786c\u76d8\u5f55\u50cf\u673a\uff09\u3001IP\u6444\u50cf\u673a\u7b49\u8bbe\u5907\uff0c\u5e76\u63d0\u4f9b\u7528\u6237\u7ba1\u7406\u548c\u8b66\u62a5\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nNUUO CMS 3.1\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u521b\u5efa\u7684\u9ed8\u8ba4\u8d26\u6237\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u7684\u5bc6\u7801\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u63d0\u5347\u7684\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "NUUO CMS\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "NUUO CMS \u003c=3.1"
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"serverity": "\u9ad8",
"submitTime": "2018-10-16",
"title": "NUUO CMS\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}
ghsa-73f9-64hc-46vj
Vulnerability from github
Published
2022-05-13 01:33
Modified
2022-05-13 01:33
Severity ?
VLAI Severity ?
Details
NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.
{
"affected": [],
"aliases": [
"CVE-2018-17894"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-12T14:29:00Z",
"severity": "CRITICAL"
},
"details": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.",
"id": "GHSA-73f9-64hc-46vj",
"modified": "2022-05-13T01:33:48Z",
"published": "2022-05-13T01:33:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17894"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
var-201810-0481
Vulnerability from variot
NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access. NUUO CMS Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. An attacker could exploit the vulnerability to gain elevated privileges. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201810-0481",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "cms",
"scope": "lte",
"trust": 1.8,
"vendor": "nuuo",
"version": "3.1"
},
{
"model": "cms",
"scope": "eq",
"trust": 0.9,
"vendor": "nuuo",
"version": "3.1"
},
{
"model": "cms",
"scope": "lte",
"trust": 0.6,
"vendor": "nuuo",
"version": "\u003c=3.1"
},
{
"model": "cms",
"scope": "eq",
"trust": 0.3,
"vendor": "nuuo",
"version": "3.0"
},
{
"model": "cms",
"scope": "eq",
"trust": 0.3,
"vendor": "nuuo",
"version": "2.9"
},
{
"model": "cms",
"scope": "eq",
"trust": 0.3,
"vendor": "nuuo",
"version": "2.6"
},
{
"model": "cms",
"scope": "eq",
"trust": 0.3,
"vendor": "nuuo",
"version": "1.3.1"
},
{
"model": "cms",
"scope": "eq",
"trust": 0.3,
"vendor": "nuuo",
"version": "2.0"
},
{
"model": "cms",
"scope": "ne",
"trust": 0.3,
"vendor": "nuuo",
"version": "3.3.0.18"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "nuuo cms",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "BID",
"id": "105717"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:nuuo:nuuo_cms",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pedro Ribeiro",
"sources": [
{
"db": "BID",
"id": "105717"
},
{
"db": "PACKETSTORM",
"id": "151260"
}
],
"trust": 0.4
},
"cve": "CVE-2018-17894",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-17894",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-21169",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-17894",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-17894",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-17894",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2018-21169",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-667",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1",
"trust": 0.2,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access. NUUO CMS Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. An attacker could exploit the vulnerability to gain elevated privileges. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. \nNUUO CMS 3.1 and prior are vulnerable",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-17894"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "BID",
"id": "105717"
},
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-17894",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-18-284-02",
"trust": 3.3
},
{
"db": "BID",
"id": "105717",
"trust": 1.9
},
{
"db": "CNVD",
"id": "CNVD-2018-21169",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890",
"trust": 0.8
},
{
"db": "IVD",
"id": "E2FD904F-39AB-11E9-B5FF-000C29342CB1",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "151260",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "BID",
"id": "105717"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "PACKETSTORM",
"id": "151260"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"id": "VAR-201810-0481",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
}
],
"trust": 1.4363636
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
}
]
},
"last_update_date": "2024-11-23T22:30:16.712000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Central Management System",
"trust": 0.8,
"url": "https://www.nuuo.com/ProductNode.php?node=3"
},
{
"title": "NUUO CMS privilege escalation vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/142383"
},
{
"title": "NUUO CMS Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85785"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-798",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-18-284-02"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/105717"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17894"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17894"
},
{
"trust": 0.3,
"url": "http://www.nuuo.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17888"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17890"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17892"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17936"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17934"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-18982"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "BID",
"id": "105717"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "PACKETSTORM",
"id": "151260"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"db": "BID",
"id": "105717"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"db": "PACKETSTORM",
"id": "151260"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-18T00:00:00",
"db": "IVD",
"id": "e2fd904f-39ab-11e9-b5ff-000c29342cb1"
},
{
"date": "2018-10-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"date": "2018-10-11T00:00:00",
"db": "BID",
"id": "105717"
},
{
"date": "2018-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"date": "2019-01-21T23:02:22",
"db": "PACKETSTORM",
"id": "151260"
},
{
"date": "2018-10-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"date": "2018-10-12T14:29:00.677000",
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21169"
},
{
"date": "2018-10-11T00:00:00",
"db": "BID",
"id": "105717"
},
{
"date": "2018-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010890"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-667"
},
{
"date": "2024-11-21T03:55:09.397000",
"db": "NVD",
"id": "CVE-2018-17894"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "151260"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "NUUO CMS Vulnerabilities related to the use of hard-coded credentials",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010890"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-667"
}
],
"trust": 0.6
}
}
fkie_cve-2018-17894
Vulnerability from fkie_nvd
Published
2018-10-12 14:29
Modified
2024-11-21 03:55
Severity ?
Summary
NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | http://www.securityfocus.com/bid/105717 | Third Party Advisory, VDB Entry | |
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 | Patch, Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105717 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 | Patch, Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuuo:nuuo_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D15770E9-A56F-403C-B3EE-E3DA91E0DCAD",
"versionEndIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access."
},
{
"lang": "es",
"value": "En NUUO CMS, en todas las versiones 3.1 y anteriores, la aplicaci\u00f3n crea cuentas por defecto que tienen contrase\u00f1as embebidas, lo que podr\u00eda permitir que un atacante obtenga acceso privilegiado."
}
],
"id": "CVE-2018-17894",
"lastModified": "2024-11-21T03:55:09.397",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-12T14:29:00.677",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105717"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Patch",
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2018-17894
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-17894",
"description": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.",
"id": "GSD-2018-17894",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2018-17894"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-17894"
],
"details": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.",
"id": "GSD-2018-17894",
"modified": "2023-12-13T01:22:31.180548Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-10-11T00:00:00",
"ID": "CVE-2018-17894",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NUUO CMS",
"version": {
"version_data": [
{
"version_value": "All versions 3.1 and prior"
}
]
}
}
]
},
"vendor_name": "NUUO"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "USE OF HARD-CODED CREDENTIALS CWE-798"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105717",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105717"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nuuo:nuuo_cms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-17894"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02"
},
{
"name": "105717",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105717"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-10-09T23:37Z",
"publishedDate": "2018-10-12T14:29Z"
}
}
}
icsa-18-284-02
Vulnerability from csaf_cisa
Published
2018-10-11 00:00
Modified
2018-11-20 00:00
Summary
NUUO CMS (Update A)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of theses vulnerabilities could result in arbitrary remote code execution.
Critical infrastructure sectors
Commercial Facilities, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems.
Countries/areas deployed
Worldwide
Company headquarters location
Taiwan
Recommended Practices
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target these vulnerabilities.
{
"document": {
"acknowledgments": [
{
"names": [
"Pedro Ribeiro"
],
"summary": "reporting these vulnerabilities to NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of theses vulnerabilities could result in arbitrary remote code execution.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Commercial Facilities, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems.",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Taiwan",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-18-284-02 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-284-02.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-18-284-02 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-284-02"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "NUUO CMS (Update A)",
"tracking": {
"current_release_date": "2018-11-20T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-18-284-02",
"initial_release_date": "2018-10-11T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-10-11T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-18-284-02 NUUO CMS"
},
{
"date": "2018-11-20T00:00:00.000000Z",
"legacy_version": "A",
"number": "2",
"summary": "ICSA-18-284-02 NUUO CMS (Update A)"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 3.3",
"product": {
"name": "CMS: Versions 3.3 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "CMS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 3.1",
"product": {
"name": "CMS: Versions 3.1 and prior",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "CMS"
}
],
"category": "vendor",
"name": "NUUO"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-17888",
"cwe": {
"id": "CWE-330",
"name": "Use of Insufficiently Random Values"
},
"notes": [
{
"category": "summary",
"text": "The application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution.CVE-2018-17888 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17888"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17890",
"cwe": {
"id": "CWE-477",
"name": "Use of Obsolete Function"
},
"notes": [
{
"category": "summary",
"text": "The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution.CVE-2018-17890 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17890"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17892",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "summary",
"text": "The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution.CVE-2018-17892 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17892"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17894",
"cwe": {
"id": "CWE-798",
"name": "Use of Hard-coded Credentials"
},
"notes": [
{
"category": "summary",
"text": "The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.CVE-2018-17894 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17894"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17934",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.CVE-2018-17934 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17934"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17936",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "The application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution.CVE-2018-17936 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17936"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-18982",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.CVE-2018-18982 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18982"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
}
]
}
ICSA-18-284-02
Vulnerability from csaf_cisa
Published
2018-10-11 00:00
Modified
2018-11-20 00:00
Summary
NUUO CMS (Update A)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of theses vulnerabilities could result in arbitrary remote code execution.
Critical infrastructure sectors
Commercial Facilities, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems.
Countries/areas deployed
Worldwide
Company headquarters location
Taiwan
Recommended Practices
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target these vulnerabilities.
{
"document": {
"acknowledgments": [
{
"names": [
"Pedro Ribeiro"
],
"summary": "reporting these vulnerabilities to NCCIC"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of theses vulnerabilities could result in arbitrary remote code execution.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Commercial Facilities, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems.",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Taiwan",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-18-284-02 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2018/icsa-18-284-02.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-18-284-02 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-18-284-02"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "NUUO CMS (Update A)",
"tracking": {
"current_release_date": "2018-11-20T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-18-284-02",
"initial_release_date": "2018-10-11T00:00:00.000000Z",
"revision_history": [
{
"date": "2018-10-11T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-18-284-02 NUUO CMS"
},
{
"date": "2018-11-20T00:00:00.000000Z",
"legacy_version": "A",
"number": "2",
"summary": "ICSA-18-284-02 NUUO CMS (Update A)"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 3.3",
"product": {
"name": "CMS: Versions 3.3 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "CMS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 3.1",
"product": {
"name": "CMS: Versions 3.1 and prior",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "CMS"
}
],
"category": "vendor",
"name": "NUUO"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-17888",
"cwe": {
"id": "CWE-330",
"name": "Use of Insufficiently Random Values"
},
"notes": [
{
"category": "summary",
"text": "The application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution.CVE-2018-17888 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17888"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17890",
"cwe": {
"id": "CWE-477",
"name": "Use of Obsolete Function"
},
"notes": [
{
"category": "summary",
"text": "The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution.CVE-2018-17890 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17890"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17892",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "summary",
"text": "The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution.CVE-2018-17892 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17892"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17894",
"cwe": {
"id": "CWE-798",
"name": "Use of Hard-coded Credentials"
},
"notes": [
{
"category": "summary",
"text": "The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access.CVE-2018-17894 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17894"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17934",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.CVE-2018-17934 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17934"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-17936",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "The application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution.CVE-2018-17936 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17936"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2018-18982",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.CVE-2018-18982 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18982"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "NUUO has developed a fix for the reported vulnerabilities and recommends users update to firmware v3.3 or the latest available. ",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "http://d1.nuuo.com/NUUO/CMS/v3.3.0/CMS_NUUO_All_v3.3.0.18.zip"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…