cbcvebase.
CVE-2016-2296
published 2016-05-14

CVE-2016-2296: Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to…

PriorityP276critical9.4CVSS 3.0
AVNACLPRNUINSUCHIHAL
EXPLOIT
EPSS
64.37%
99.1th percentile
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.

Detection & IOCsextracted from sources · hover to see the quote

url/html/en/index.html
url/html/en/confAccessProt.html
port8080
  • Fingerprint Meteocontrol WEBlog devices by checking HTTP Server header for 'IS2 Web Server' or response body containing "WEB'log".
  • Flag HTTP responses from /html/en/confAccessProt.html that contain the string 'szWebAdminPassword' in the body — this indicates the admin password is being returned in cleartext without authentication.
  • Alert on unauthenticated access to any post-login admin configuration pages (e.g. /html/en/confAccessProt.html) from external/untrusted network segments, as all application functionality is accessible without authentication.
  • ·The default port is 8080 but the application may run on a different port; scanning should not be limited to port 8080 alone.
  • ·On some device models the 'Website password' page is renamed or absent, meaning the szWebAdminPassword field may not be present even on vulnerable devices.
  • ·All WEB'log product lines (Basic 100, Light, Pro, Pro Unlimited) are affected across all versions prior to the May 2016 release fix.

CVSS provenance

nvdv3.09.4CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.