CRITICAL🇬🇧 English

CVE-2019-5160

CVSS 9.1v3.1pub. 2020-03-11upd. 2024-11-21

An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Wago Pfc200

    HW
    Wago
    wszystkie wersje
  • Wago Pfc200 Firmware

    OS
    Wago
    03.00.39\(12\)03.01.07\(13\)03.02.02\(14\)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2023-1698CRITICAL9.8ten sam produkt

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users an...

CVE-2022-45140CRITICAL9.8ten sam produkt

The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the s...

CVE-2022-45138CRITICAL9.8ten sam produkt

The configuration backend of the web-based management can be used by unauthenticated users, although only auth...

CVE-2019-5161CRITICAL9.1ten sam produkt

An exploitable remote code execution vulnerability exists in the Cloud Connectivity functionality of WAGO PFC2...

CVE-2020-8597CRITICAL9.8ten sam produkt

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response ...