CVE Vulnerability

CVE-2019-10767

An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn't enabled).

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/ioBroker/ioBroker.js-controller/commit/f6e292c6750a491a5000d0f851b2fede4f9e2fda Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-IOBROKERJSCONTROLLER-534881 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:iobroker:iobroker.js-controller:*:*:*:*:*:node.js:*:*
Information

Published : 2019-11-21 05:15

Updated : 2019-12-03 07:18

NVD link : CVE-2019-10767

Mitre link : CVE-2019-10767

Products Affected
No products.
CWE
CWE-22