Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2017-9964 CVE-2017-9965 CVE-2017-9966 |
CWE-ID | CWE-22 CWE-284 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Pelco VideoXpert Enterprise Hardware solutions / Firmware |
Vendor | Schneider Electric |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU9697
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9964
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a directory traversal attack.
The weakness exists due to path traversal. A remote attacker can supply sniffing communications, conduct a directory traversal attack and bypass authentication or hijack an existing user's session.
MitigationUpdate to version 2.1.
Pelco VideoXpert Enterprise: All versions
CPE2.3 External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=864264...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU9698
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9965
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a directory traversal attack.
The weakness exists due to path traversal. A remote attacker can supply sniffing communications, conduct a directory traversal attack and view web server files.
MitigationUpdate to version 2.1.
Pelco VideoXpert Enterprise: All versions
CPE2.3 External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=864264...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU9699
Risk: Medium
CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9966
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authorized attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. A remote attacker can replace certain files, obtain system privileges and execute the inserted code at an elevated privilege level.
Successful exploitation of the vulnerability may result in system compromise.
MitigationUpdate to version 2.1.
Pelco VideoXpert Enterprise: All versions
CPE2.3 External linkshttp://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=864264...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.