Main Vulnerability Database Vulnerabilities #VU35864

Information disclosure in WebAPP - CVE-2019-9105

Published: June 1, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35864

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-9105

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: web-app.org

Affected software:
WebAPP

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call.

How to mitigate CVE-2019-9105

Install update from vendor's website.

Sources

https://members.backbox.org/saet-tebe-small-supervisor-multiple-vulnerabilities/
https://www.saet.org/wp-content/uploads/2017/04/Depliant_TEBE-TEBE_Small.pdf

Information disclosure in WebAPP - CVE-2019-9105

Detailed vulnerability description

How to mitigate CVE-2019-9105

Sources

Please verify you're human