Vulnerability Details : CVE-2018-16705
Potential exploit
FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the xml/permission.xml file containing all of the system's usernames and passwords. This includes the Admin and Service user accounts and their unsalted MD5 hashes, as well as the SMS server password in cleartext.
Vulnerability category: Information leak
Products affected by CVE-2018-16705
- cpe:2.3:o:furuno:felcom_250_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:furuno:felcom_500_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-16705
0.82%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16705
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-16705
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-16705
-
https://gist.github.com/CyberSKR/c00eabd6b1d5603d724b615ab358ff31
CVE-2018-16705 - The Furuno Felcom250 and Felcom500 devices allowed unauthenticated access to an XML file containing all of the system's usernames and passwords. ยท GitHubThird Party Advisory
-
https://cyberskr.com/blog/furuno-felcom.html
CyberSKR - Cyber Security ConsultancyExploit;Technical Description;Third Party Advisory
Jump to