Vulnerability Details : CVE-2017-6031
A Header Injection issue was discovered in Certec EDV GmbH atvise scada prior to Version 3.0. An "improper neutralization of HTTP headers for scripting syntax" issue has been identified, which may allow remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2017-6031
- cpe:2.3:a:certec_edv_gmbh:atvise_scada:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6031
1.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6031
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-6031
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Assigned by: ics-cert@hq.dhs.gov (Secondary)
References for CVE-2017-6031
-
https://ics-cert.us-cert.gov/advisories/ICSA-17-096-01A
Certec EDV GmbH atvise scada (Update A) | CISAThird Party Advisory;US Government Resource
-
http://www.securityfocus.com/bid/97479
Certec EDV GmbH atvise scada Cross Site Scripting and HTTP Header Injection VulnerabilitiesThird Party Advisory;VDB Entry
Jump to