Information disclosure in Siemens OZW Web Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-13941 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Siemens OZW672 Hardware solutions / Security hardware applicances Siemens OZW772 Hardware solutions / Security hardware applicances |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU25262
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2019-13941
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the OZW web server uses predictable path names for project files that legitimately authenticated users have created by using the application’s export function. A remote attacker can access a specific uniform resource locator on the web server and download a project file without prior authentication.
Install updates from vendor's website.
Vulnerable software versionsSiemens OZW672: before 10.0
Siemens OZW772: before 10.0
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-986695.pdf
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
