Ecava IntegraXor < 4.2.4458 Multiple Vulnerabilities

high Nessus Plugin ID 77964

Synopsis

The remote Windows host contains a SCADA application that is affected by multiple vulnerabilities.

Description

The version of Ecava IntegraXor installed on the remote host is a version prior to 4.2 Build 4458. It is, therefore, affected by multiple vulnerabilities :

- A flaw related to IntegraXor's privilege management allows the unprivileged guest user account to execute arbitrary SQL statements and potentially upload malicious files. (CVE-2014-0786)

- A flaw in the way that IntegraXor exports report files allows a remote, unauthenticated attacker to read and write any file or cause a denial of service by writing extremely large files. (CVE-2014-2375)

- A SQL injection flaw allows a remote attacker to modify and read database entries that are normally restricted, including configuration entries. (CVE-2014-2376)

- A flaw exists in IntegraXor's built-in application tags that discloses path name information, which can be used in conjunction with other vulnerabilities to increase the likelihood of a successful attack. (CVE-2014-2377)

Solution

Upgrade to version 4.2.4458 or later.

Plugin Details

Severity: High

ID: 77964

File Name: scada_integraxor_4_2_4458.nbin

Version: 1.106

Type: local

Family: SCADA

Published: 9/29/2014

Updated: 11/12/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2014-2375

Vulnerability Information

CPE: cpe:/a:ecava:integraxor

Required KB Items: installed_sw/Ecava IntegraXor

Exploit Ease: No known exploits are available

Patch Publication Date: 9/11/2014

Vulnerability Publication Date: 9/11/2014

Reference Information

CVE: CVE-2014-0786, CVE-2014-2375, CVE-2014-2376, CVE-2014-2377

BID: 66554, 69767, 69772, 69774, 69776

ICSA: 14-091-01, 14-224-01