Vulnerability identifier: #VU16537

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-19003

CWE-ID: CWE-22

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
LS2100e
Hardware solutions / Office equipment, IP-phones, print servers
EX2100e_Reg
Hardware solutions / Office equipment, IP-phones, print servers
EX2100e
Hardware solutions / Office equipment, IP-phones, print servers
Mark VIe
Hardware solutions / Office equipment, IP-phones, print servers

Vendor: GE

Description

The vulnerability allows an adjacent unauthenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to improper restriction of the ability of an attacker to gain access to restricted information. An adjacent attacker can conduct directory traversal attack and gain access to potentially sensitive information.

Mitigation
Update the affected products to the latest versions.

Vulnerable software versions

LS2100e: All versions

EX2100e_Reg: All versions

EX2100e: All versions

Mark VIe: All versions

---

External links
http://ics-cert.us-cert.gov/advisories/ICSA-18-347-04

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.