CVE-2019-13028 Information

Description

An incorrect implementation of a local web server in eID client (Windows version before 3.1.2 Linux version before 3.0.3) allows remote attackers to execute arbitrary code (.cgi .pl or .php) or delete arbitrary files via a crafted HTML page. This is a product from the Ministry of Interior of the Slovak Republic.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://www.csirt.gov.sk/aktualne-7d7.html?id=194 https://www.csirt.gov.sk/doc/eid_klient_tlacova_sprava.pdf https://www.minv.sk/?tlacove-spravy&sprava=pouzivatelom-e-sluzieb-automaticky-aktualizujeme-aplikaciu-pre-elektronicky-obciansky-preukaz

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8