CVE-2019-13529
published 2019-10-09CVE-2019-13529: An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on…
PriorityP355high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.23%
80.5th percentile
An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sma | sunny_webbox_firmware | <= 1.6 | — |
| sma_solar_technology_ag | sunny_webbox | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
SMA Solar Technology AG Sunny WebBox
cisa_ics·2019-10-08·CVSS 8.8
[HIGH] SMA Solar Technology AG Sunny WebBox
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
SMA Solar Technology AG Sunny WebBox
Last RevisedOctober 08, 2019
Alert CodeICSA-19-281-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.6
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: SMA Solar Technology AG
- Equipment: Sunny WebBox
- Vulnerability: Cross-Site Request Forgery
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to generate a denial-of-service condition, modify passwords, enable services, achieve man-in-the-middle, and modify input parameters associated with devices such as sensors.
## 3. TECHNICAL DE
GHSA
GHSA-wgp7-3rwh-vpgw: An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the
ghsa_unreviewed·2022-05-24
CVE-2019-13529 [HIGH] CWE-352 GHSA-wgp7-3rwh-vpgw: An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the
An attacker could send a malicious link to an authenticated operator, which may allow remote attackers to perform actions with the permissions of the user on the Sunny WebBox Firmware Version 1.6 and prior. This device uses IP addresses to maintain communication after a successful login, which would increase the ease of exploitation.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.htmlhttps://www.us-cert.gov/ics/advisories/icsa-19-281-01http://packetstormsecurity.com/files/154789/SMA-Solar-Technology-AG-Sunny-WebBox-1.6-Cross-Site-Request-Forgery.htmlhttps://www.us-cert.gov/ics/advisories/icsa-19-281-01
2019-10-09
Published