CVE-2017-8328 : An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices wit

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue.

Published 2019-06-18 21:15:10

Updated 2019-06-21 13:37:14

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2017-8328

Securifi » Almond Firmware » Version: Al-r096
cpe:2.3:o:securifi:almond_firmware:al-r096:*:*:*:*:*:*:*
Matching versions
When used together with: Securifi » Almond » Version: N/A
Securifi » Almond 2015 Firmware » Version: Al-r096
cpe:2.3:o:securifi:almond_2015_firmware:al-r096:*:*:*:*:*:*:*
Matching versions
When used together with: Securifi » Almond 2015 » Version: N/A
Securifi » Almond+firmware » Version: Al-r096
cpe:2.3:o:securifi:almond\+firmware:al-r096:*:*:*:*:*:*:*
Matching versions
When used together with: Securifi » Almond+ » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2017-8328

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-8328

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-8328

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-8328

https://seclists.org/bugtraq/2019/Jun/8

Bugtraq: Newly releases IoT security issues
Mailing List;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/153227/Securifi-Almond-2015-Buffer-Overflow-Command-Injection-XSS-CSRF.html

Securifi Almond 2015 Buffer Overflow / Command Injection / XSS / CSRF ≈ Packet Storm
Third Party Advisory;VDB Entry

CVEs referencing this url
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Securifi_Almond_plus_sec_issues.pdf

IoT_vulnerabilities/Securifi_Almond_plus_sec_issues.pdf at master · ethanhunnt/IoT_vulnerabilities · GitHub
Exploit;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-8328

Products affected by CVE-2017-8328

Exploit prediction scoring system (EPSS) score for CVE-2017-8328

CVSS scores for CVE-2017-8328

CWE ids for CVE-2017-8328

References for CVE-2017-8328