Vulnerability Description
In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gok | Smartbox 4 Lan Firmware | All versions |
| Gok | Smartbox 4 Lan | - |
| Gok | Smartbox 4 Lan Pro Firmware | All versions |
| Gok | Smartbox 4 Lan Pro | - |
| Tecson | Lx-Q-Net Firmware | All versions |
| Tecson | Lx-Q-Net | - |
| Tecson | Lx-Net Firmware | All versions |
| Tecson | Lx-Net | - |
| Tecson | E-Litro Net Firmware | All versions |
| Tecson | E-Litro Net | - |
Related Weaknesses (CWE)
References
- https://cert.vde.com/en/advisories/VDE-2019-012/Third Party Advisory
- https://cert.vde.com/en/advisories/VDE-2019-012/Third Party Advisory
FAQ
What is CVE-2019-12254?
CVE-2019-12254 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user wi...
How severe is CVE-2019-12254?
CVE-2019-12254 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-12254?
Check the references section above for vendor advisories and patch information. Affected products include: Gok Smartbox 4 Lan Firmware, Gok Smartbox 4 Lan, Gok Smartbox 4 Lan Pro Firmware, Gok Smartbox 4 Lan Pro, Tecson Lx-Q-Net Firmware.