Vulnerability Details : CVE-2019-19127
An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched. This occurs because the Uniface TLS Driver is not enabled by default. This vulnerability allows attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as long as they have access to the client executable or can intercept traffic from a user who does.
Products affected by CVE-2019-19127
- cpe:2.3:a:tribalgroup:sits\:vision:9.7.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19127
1.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19127
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2019-19127
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19127
-
http://packetstormsecurity.com/files/156903/SITS-Vision-9.7.0-Authentication-Bypass.html
SITS:Vision 9.7.0 Authentication Bypass ≈ Packet StormThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2020/Mar/26
Full Disclosure: Authentication Bypass in Tribal SITS:VisionMailing List;Third Party Advisory
Jump to