var-201702-0852
Vulnerability from variot
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of downloadCSV.jsp. When parsing the file element, the process fails to properly validate a user-supplied path prior to using it in file operations. SUSIAccess is an easy-to-use remote device management software solution. Advantech SUISAccess Server is a set of Advantech's Platform as a Service (PaaS) products for cloud and Internet of Things (IoT) devices
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201702-0852",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "susiaccess",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "3.0"
},
{
"model": "susiaccess",
"scope": "lte",
"trust": 0.8,
"vendor": "advantech",
"version": "server 3.0"
},
{
"model": "susiaccess server",
"scope": null,
"trust": 0.7,
"vendor": "advantech",
"version": null
},
{
"model": "suisaccess server",
"scope": "lte",
"trust": 0.6,
"vendor": "advantech",
"version": "\u003c=3.0"
},
{
"model": "susiaccess",
"scope": "eq",
"trust": 0.6,
"vendor": "advantech",
"version": "3.0"
},
{
"model": "suisaccess server",
"scope": "eq",
"trust": 0.3,
"vendor": "advantech",
"version": "3.0"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "BID",
"id": "94629"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:advantech:susiaccess",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "rgod working with Zero Day Initiative (ZDI).",
"sources": [
{
"db": "BID",
"id": "94629"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
}
],
"trust": 0.9
},
"cve": "CVE-2016-9349",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2016-9349",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2016-9349",
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-11831",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-98169",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2016-9349",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-9349",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2016-9349",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2016-9349",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2016-11831",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201612-011",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-98169",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2016-9349",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure. Authentication is not required to exploit this vulnerability. The specific flaw exists within processing of downloadCSV.jsp. When parsing the file element, the process fails to properly validate a user-supplied path prior to using it in file operations. SUSIAccess is an easy-to-use remote device management software solution. Advantech SUISAccess Server is a set of Advantech\u0027s Platform as a Service (PaaS) products for cloud and Internet of Things (IoT) devices",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-9349"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"db": "BID",
"id": "94629"
},
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
}
],
"trust": 3.78
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=42401",
"trust": 0.2,
"type": "exploit"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-98169",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-9349",
"trust": 4.2
},
{
"db": "ICS CERT",
"id": "ICSA-16-336-04",
"trust": 3.5
},
{
"db": "BID",
"id": "94629",
"trust": 2.7
},
{
"db": "EXPLOIT-DB",
"id": "42401",
"trust": 1.2
},
{
"db": "EXPLOIT-DB",
"id": "42402",
"trust": 1.2
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-3831",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-16-628",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-11831",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "143620",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143622",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-98169",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-9349",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"db": "BID",
"id": "94629"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"id": "VAR-201702-0852",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "VULHUB",
"id": "VHN-98169"
}
],
"trust": 1.5
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-11831"
}
]
},
"last_update_date": "2024-11-23T22:07:38.582000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SUSIAccess",
"trust": 0.8,
"url": "http://www2.advantech.com/industrialCloud/about_what.aspx"
},
{
"title": "Advantech has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04"
},
{
"title": "Patch for Advantech SUSIAccess Server Information Disclosure Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/84926"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/ghsec/CVE-PoC-Finder "
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-16-336-04"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/94629"
},
{
"trust": 1.3,
"url": "https://www.exploit-db.com/exploits/42401/"
},
{
"trust": 1.2,
"url": "https://www.exploit-db.com/exploits/42402/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9349"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9349"
},
{
"trust": 0.3,
"url": "http://webaccess.advantech.com"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://github.com/ghsec/cve-poc-finder"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"db": "BID",
"id": "94629"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "VULHUB",
"id": "VHN-98169"
},
{
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"db": "BID",
"id": "94629"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-12-13T00:00:00",
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"date": "2016-12-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"date": "2017-02-13T00:00:00",
"db": "VULHUB",
"id": "VHN-98169"
},
{
"date": "2017-02-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"date": "2016-12-01T00:00:00",
"db": "BID",
"id": "94629"
},
{
"date": "2017-03-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"date": "2016-12-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"date": "2017-02-13T21:59:01.877000",
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-12-13T00:00:00",
"db": "ZDI",
"id": "ZDI-16-628"
},
{
"date": "2016-12-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"date": "2017-08-12T00:00:00",
"db": "VULHUB",
"id": "VHN-98169"
},
{
"date": "2017-08-12T00:00:00",
"db": "VULMON",
"id": "CVE-2016-9349"
},
{
"date": "2016-12-20T02:04:00",
"db": "BID",
"id": "94629"
},
{
"date": "2017-03-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-007630"
},
{
"date": "2016-12-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201612-011"
},
{
"date": "2024-11-21T03:01:00.073000",
"db": "NVD",
"id": "CVE-2016-9349"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech SUSIAccess Server Information Disclosure Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-11831"
},
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201612-011"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…