CVE-2017-17974 Information
Feb 14, 2021
cve
Description
BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00* HTTPserv 00002 and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://misteralfa-hack.blogspot.cl/2017/12/ba-system-improper-access-control.html https://github.com/ezelf/baCK_system
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: