SB2017091501 - Multiple vulnerabilities in LOYTEC LVIS-3ME
Published: September 15, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Relative path traversal (CVE-ID: CVE-2017-13996)
The vulnerability allows a remote attacker to gain access to important data on the target system.The weakness exists due to improper protection of critical files by the user interface. A remote attacker can create or modify files or possibly execute arbitrary code.
2) Insufficient entropy (CVE-ID: CVE-2017-13992)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to insufficient utilization of random number generation for the web interface authentication mechanism. A remote attacker can gain unauthorized access to the system and execute arbitrary code.
3) Cross-site scripting (CVE-ID: CVE-2017-13994)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Information disclosure (CVE-ID: CVE-2017-13998)
The vulnerability allows a remote attacker to gain access to obtain potentially sensitive information.The weakness exists due to insufficient protection of sensitive information from unauthorized access. A remote attacker can gain access to user's credentials.
Remediation
Install update from vendor's website.