MidnightBSD

Advisories for computrols

CVE-2019-10846 MEDIUM

Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
computrols computrols_building_automation_system *
CVE-2019-10847 MEDIUM

Computrols CBAS 18.0.0 allows Cross-Site Request Forgery.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10848 MEDIUM

Computrols CBAS 18.0.0 allows Username Enumeration.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10849 MEDIUM

Computrols CBAS 18.0.0 allows unprotected Subversion (SVN) directory / source code disclosure.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10850 HIGH

Computrols CBAS 18.0.0 has Default Credentials.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10851 MEDIUM

Computrols CBAS 18.0.0 has hard-coded encryption keys.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10852 MEDIUM

Computrols CBAS 18.0.0 allows Authenticated Blind SQL Injection via the id GET parameter, as demonstrated by the index.php?m=servers&a=start_pulling&id= substring.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10853 HIGH

Computrols CBAS 18.0.0 allows Authentication Bypass.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10854 HIGH

Computrols CBAS 18.0.0 allows Authenticated Command Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *
CVE-2019-10855 MEDIUM

Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,

Products Affected

Vendor Product Version
computrols computrols_building_automation_software *