Regular Expression without Anchors in Wago PFC200 Controller and WAGO PFC100 Controller - CVE-2019-5134
Published: March 20, 2020
Vulnerability identifier: #VU26273
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-5134
CWE-ID: CWE-777
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WAGO
Affected software:
Wago PFC200 Controller
WAGO PFC100 Controller
Wago PFC200 Controller
WAGO PFC100 Controller
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the regular expression without anchors issue in the Web-Based Management (WBM) authentication functionality. A remote attacker can use a specially crafted authentication request to bypass regular expression filters and gain access to sensitive information on the target system.
How to mitigate CVE-2019-5134
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.