CVE-2018-16591 Information

Description

FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin Log and Service accounts as well as the password for the protected \SMS\ panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://cyberskr.com/blog/furuno-felcom.html https://gist.github.com/CyberSKR/2c30d964d48b5e1518ded88bd953b710

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8