CVE-2017-6564 — MEDIUM (6.5)

Vulnerability Description

On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host machine such as databases which contain information that can aid in further attacks.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Franklinfueling	Ts-550 Evo Firmware	2.3.0.7332
Franklinfueling	Ts-550 Evo	-

Related Weaknesses (CWE)

CWE-862

References

http://www.u235.io/single-post/2017/05/01/Penetrating-Fuel-Management-SystemsTechnical DescriptionThird Party AdvisoryURL Repurposed
https://gist.github.com/Stick-U235/b187931f828e92866d09b9bdeb956ca2Third Party Advisory
http://www.u235.io/single-post/2017/05/01/Penetrating-Fuel-Management-SystemsTechnical DescriptionThird Party AdvisoryURL Repurposed
https://gist.github.com/Stick-U235/b187931f828e92866d09b9bdeb956ca2Third Party Advisory

FAQ

What is CVE-2017-6564?

CVE-2017-6564 is a vulnerability with a CVSS score of 6.5 (MEDIUM). On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This a...

How severe is CVE-2017-6564?

CVE-2017-6564 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-6564?

Check the references section above for vendor advisories and patch information. Affected products include: Franklinfueling Ts-550 Evo Firmware, Franklinfueling Ts-550 Evo.