CVE-2019-10886 — MEDIUM (5.9)

Q: How severe is CVE-2019-10886?

CVE-2019-10886 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-10886?

Check the references section above for vendor advisories and patch information. Affected products include: Sony Photo Sharing Plus, Sony Kdl-50W800C, Sony Kdl-50W805C, Sony Kdl-50W807C, Sony Kdl-50W809C.

Vulnerability Description

An incorrect access control exists in the Sony Photo Sharing Plus application in the firmware before PKG6.5629 version (for the X7500D TV and other applicable TVs). This vulnerability allows an attacker to read arbitrary files without authentication over HTTP when Photo Sharing Plus application is running. This may allow an attacker to browse a particular directory (e.g. images) inside the private network.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Sony	Photo Sharing Plus	< pkg6.5629
Sony	Kdl-50W800C	-
Sony	Kdl-50W805C	-
Sony	Kdl-50W807C	-
Sony	Kdl-50W809C	-
Sony	Kdl-50W820C	-
Sony	Kdl-55W800C	-
Sony	Kdl-55W805C	-
Sony	Kdl-65W850C	-
Sony	Kdl-65W855C	-
Sony	Kdl-65W857C	-
Sony	Kdl-75W850C	-
Sony	Kdl-75W855C	-
Sony	X7500D	-
Sony	Xbr-100Z9D	-
Sony	Xbr-43X800D	-
Sony	Xbr-43X800E	-
Sony	Xbr-43X830C	-
Sony	Xbr-49X700D	-
Sony	Xbr-49X800C	-

Related Weaknesses (CWE)

CWE-306

References

http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-DisclosureThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/Apr/32Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/108072Third Party AdvisoryVDB Entry
https://seclists.org/bugtraq/2019/Apr/34ExploitMailing ListThird Party Advisory
https://www.sony.com/electronics/support/downloads/00016043ExploitVendor Advisory
http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-DisclosureThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/Apr/32Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/108072Third Party AdvisoryVDB Entry
https://seclists.org/bugtraq/2019/Apr/34ExploitMailing ListThird Party Advisory
https://www.sony.com/electronics/support/downloads/00016043ExploitVendor Advisory

FAQ

What is CVE-2019-10886?

CVE-2019-10886 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An incorrect access control exists in the Sony Photo Sharing Plus application in the firmware before PKG6.5629 version (for the X7500D TV and other applicable TVs). This vulnerability allows an attack...

How severe is CVE-2019-10886?

CVE-2019-10886 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10886?

Check the references section above for vendor advisories and patch information. Affected products include: Sony Photo Sharing Plus, Sony Kdl-50W800C, Sony Kdl-50W805C, Sony Kdl-50W807C, Sony Kdl-50W809C.