AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ave | ts01_firmware | 1.0.65 |
| ave | 53ab-wbs_firmware | 1.10.62 |
| ave | ts05_firmware | 1.10.36 |
| ave | ts04x-v_firmware | 1.10.45a |
| ave | dominaplus | * |
| ave | ts05n-v_firmware | - |
| ave | ts03x-v_firmware | 1.10.45a |
AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ave | ts01_firmware | 1.0.65 |
| ave | 53ab-wbs_firmware | 1.10.62 |
| ave | ts05_firmware | 1.10.36 |
| ave | ts04x-v_firmware | 1.10.45a |
| ave | dominaplus | * |
| ave | ts05n-v_firmware | - |
| ave | ts03x-v_firmware | 1.10.45a |
AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ave | ts01_firmware | 1.0.65 |
| ave | 53ab-wbs_firmware | 1.10.62 |
| ave | ts05_firmware | 1.10.36 |
| ave | ts04x-v_firmware | 1.10.45a |
| ave | dominaplus | * |
| ave | ts05n-v_firmware | - |
| ave | ts03x-v_firmware | 1.10.45a |