#VU26368 Information disclosure in VBASE Editor and VBASE Web-Remote Module
Vulnerability identifier: #VU26368
Vulnerability risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
VBASE Editor
Server applications /
SCADA systems
VBASE Web-Remote Module
Web applications /
Other software
Vendor: Visam
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure storage of sensitive information. A remote attacker can discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
VBASE Editor: 11.5.0.2
VBASE Web-Remote Module: All versions
External links
http://ics-cert.us-cert.gov/advisories/icsa-20-084-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
