CVE-2019-5135 — MEDIUM (5.3)

Vulnerability Description

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Wago	Pfc200 Firmware	03.00.39\(12\)
Wago	Pfc200	-
Wago	Pfc100 Firmware	03.00.39\(12\)
Wago	Pfc100	-

Related Weaknesses (CWE)

CWE-327

References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0924ExploitMitigationThird Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0924ExploitMitigationThird Party Advisory

FAQ

What is CVE-2019-5135?

CVE-2019-5135 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes u...

How severe is CVE-2019-5135?

CVE-2019-5135 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-5135?

Check the references section above for vendor advisories and patch information. Affected products include: Wago Pfc200 Firmware, Wago Pfc200, Wago Pfc100 Firmware, Wago Pfc100.