Vulnerability Details : CVE-2018-20220
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information.
Products affected by CVE-2018-20220
- cpe:2.3:o:teracue:enc-400_hdmi_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:teracue:enc-400_hdmi2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:teracue:enc-400_hdsdi_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-20220
40.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-20220
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-20220
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-20220
-
https://zxsecurity.co.nz/research.html
ZX Security | Information Security ConsultantsNot Applicable
-
http://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.html
Teracue ENC-400 Command Injection / Missing Authentication ≈ Packet StormThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2019/Feb/48
Full Disclosure: Multiple issues in Teracue ENC-400 including pre-authenticated remote code executionMailing List;Third Party Advisory
Jump to