CVE-2017-9640
published 2017-08-25CVE-2017-9640: A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and…
PriorityP349medium6.3CVSS 3.0
AVNACLPRLUINSUCLILAL
EXPLOIT
EPSS
8.45%
94.3th percentile
A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automatedlogic | i-vu | <= 5.2 | — |
| automatedlogic | i-vu | <= 5.5 | — |
| automatedlogic | i-vu | <= 6.0 | — |
| automatedlogic | sitescan_web | <= 5.2 | — |
| automatedlogic | sitescan_web | <= 5.5 | — |
| automatedlogic | sitescan_web | <= 6.1 | — |
| carrier | automatedlogic_webctrl | <= 5.2 | — |
| carrier | automatedlogic_webctrl | <= 5.5 | — |
| carrier | automatedlogic_webctrl | <= 6.0 | — |
| carrier | automatedlogic_webctrl | <= 6.1 | — |
CVSS provenance
nvdv3.06.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p698-23j9-7m74: A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6
ghsa_unreviewed·2022-05-13
CVE-2017-9640 [MEDIUM] CWE-22 GHSA-p698-23j9-7m74: A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6
A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.
CISA ICS
Automated Logic Corporation WebCTRL, i-VU, SiteScan
cisa_ics·2017-08-22
Automated Logic Corporation WebCTRL, i-VU, SiteScan
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Automated Logic Corporation WebCTRL, i-VU, SiteScan
Last RevisedAugust 22, 2017
Alert CodeICSA-17-234-01
## CVSS v3 8.3
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: Automated Logic Corporation (ALC)
Equipment: WebCTRL, i-VU, SiteScan
Vulnerabilities: Unquoted Search Path or Element; Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'); Unrestricted Upload of File with Dangerous Type
## AFFECTED PRODUCTS
The following versions of WebCTRL, i-Vu, SiteScan Web, building automation platforms, are affected:
- ALC WebCTRL, i-Vu, Si
No detection rules found.
No writeups or analysis indexed.
2017-08-25
Published