Detections
Analytics

Ecava IntegraXor < 4.1.4369 Project Directory Information Disclosure

high Nessus Network Monitor Plugin ID 8397

Synopsis

A vulnerable version of Ecava IntegraXor has been detected.

Description

Ecava IntegraXor versions < 4.1.4369 contain an information disclosure vulnerability. Project backup files can be accessed by bypassing file access restrictions with a specially crafted URL. Since credentials are stored in cleartext in certain project backup files, an attacker could use this information to possibly achieve remote code execution.

Solution

Upgrade to version 4.1.4369 or later.

See Also

http://www.nessus.org/u?063b0edb

http://www.integraxor.com/blog/category/security/vulnerability-note/

http://www.zerodayinitiative.com/advisories/ZDI-13-277/

https://ics-cert.us-cert.gov/advisories/ICSA-14-008-01

Plugin Details

Severity: High

ID: 8397

Family: SCADA

Published: 9/19/2014

Updated: 3/6/2019

Nessus ID: 72107

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ecava:integraxor

Patch Publication Date: 12/21/2013

Vulnerability Publication Date: 12/15/2013

Reference Information

CVE: CVE-2014-0752

BID: 64351