CVE Vulnerability

CVE-2019-11536

Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed, allows an attacker to inject client-side commands or scripts to be executed on the device with privileged access, aka CYB/2019/19561. The attack requires network connectivity to the device and exploits the webserver interface, typically through a browser.

10 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.kalkitech.com/wp-content/uploads/CYB_19561_Advisory.pdf Vendor Advisory
https://www.kalkitech.com/cybersecurity/ Vendor Advisory
Configurations

Configuration 1
Information

Published : 2019-05-22 06:29

Updated : 2020-08-24 05:37

NVD link : CVE-2019-11536

Mitre link : CVE-2019-11536

Products Affected

Kalkitech

Sync3000 Firmware

CWE
NVD-CWE-noinfo