CVE-2018-16671
published 2018-09-18CVE-2018-16671: An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.
PriorityP344medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
8.92%
94.6th percentile
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| circontrol | circarlife_scada | < 4.3 | 4.3 |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CirCarLife SCADA 4.3.0 - Credential Disclosure
exploitdb·2018-09-12·CVSS 9.8
CVE-2018-12634 [CRITICAL] CirCarLife SCADA 4.3.0 - Credential Disclosure
CirCarLife SCADA 4.3.0 - Credential Disclosure
---
# Exploit Title: CirCarLife SCADA 4.3.0 - Credential Disclosure
# Date: 2018-09-10
# Exploit Author: David Castro
# Vendor Homepage: https://circontrol.com/
# Shodan Dork: Server: CirCarLife Server: PsiOcppApp
# Version: CirCarLife Scada all versions under 4.3.0 OCPP implementation all versions under 1.5.0
# CVE : CVE-2018-12634
'''
Description: Mutiple information disclosure issues, including admin credentials disclosure
'''
import requests
from requests.auth import HTTPDigestAuth
from termcolor import colored
from bs4 import BeautifulSoup
import xml.etree.ElementTree as ET
import re
import json
import base64
cabecera = '''
_.-="_- _
_.-=" _- | ||"""""""---._______ __..
___.===""""-.______-,,,,,,,,,,,,`-''----" """"" """"" __'
__.--"
Nuclei
CirCarLife <4.3 - Improper Authentication
nuclei·CVSS 5.3
CVE-2018-16671 [MEDIUM] CirCarLife <4.3 - Improper Authentication
CirCarLife <4.3 - Improper Authentication
CirCarLife before 4.3 is susceptible to improper authentication. A system software information disclosure exists due to lack of authentication for /html/device-id. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2018-16671
info:
name: CirCarLife <4.3 - Improper Authentication
author: geeknik
severity: medium
description: CirCarLife before 4.3 is susceptible to improper authentication. A system software information disclosure exists due to lack of authentication for /html/device-id. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitiv
No writeups or analysis indexed.
2018-09-18
Published