CVE-2019-6581
published 2019-06-12CVE-2019-6581: A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018…
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.29%
66.7th percentile
A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP could change user roles without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation compromises confidentiality, integrity and availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | siveillance_video_management_software_2017_r2 | < 11.2a | 11.2a |
| siemens | siveillance_video_management_software_2018_r1 | < 12.1a | 12.1a |
| siemens | siveillance_video_management_software_2018_r2 | < 12.2a | 12.2a |
| siemens | siveillance_video_management_software_2018_r3 | < 12.3a | 12.3a |
| siemens | siveillance_video_management_software_2019_r1 | < 13.1a | 13.1a |
| siemens_ag | siveillance_vms_2017_r2 | — | — |
| siemens_ag | siveillance_vms_2018_r1 | — | — |
| siemens_ag | siveillance_vms_2018_r2 | — | — |
| siemens_ag | siveillance_vms_2018_r3 | — | — |
| siemens_ag | siveillance_vms_2019_r1 | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-chmm-53hg-3w2w: A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11
ghsa_unreviewed·2022-05-24
CVE-2019-6581 [HIGH] CWE-285 GHSA-chmm-53hg-3w2w: A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11
A vulnerability has been identified in Siveillance VMS 2017 R2 (All versions < V11.2a), Siveillance VMS 2018 R1 (All versions < V12.1a), Siveillance VMS 2018 R2 (All versions < V12.2a), Siveillance VMS 2018 R3 (All versions < V12.3a), Siveillance VMS 2019 R1 (All versions < V13.1a). An attacker with network access to port 80/TCP could change user roles without proper authorization. The security vulnerability could be exploited by an authenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation compromises confidentiality, integrity and availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.
CISA ICS
Siemens Siveillance VMS
cisa_ics·2019-06-11·CVSS 9.8
[CRITICAL] Siemens Siveillance VMS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens Siveillance VMS
Last RevisedJune 11, 2019
Alert CodeICSA-19-162-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 8.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Siemens
- Equipment: Siveillance VMS
- Vulnerabilities: Improper Authorization, Incorrect User Management, Missing Authorization
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker with network access to Port 80/TCP to change device properties, user roles, and user-defined event properties.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The foll
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-06-12
Published