MidnightBSD

Advisories for nortekcontrol

CVE-2018-5439 HIGH

A Command Injection issue was discovered in Nortek Linear eMerge E3 series Versions V0.32-07e and prior. A remote attacker may be able to execute arbitrary code on a target machine with elevated privileges.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
nortekcontrol emerge_e3_firmware *
CVE-2019-7252 MEDIUM

Linear eMerge E3-Series devices have Default Credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7253 HIGH

Linear eMerge E3-Series devices allow Directory Traversal.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7254 MEDIUM

Linear eMerge E3-Series devices allow File Inclusion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7255 MEDIUM

Linear eMerge E3-Series devices allow XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7256 HIGH

Linear eMerge E3-Series devices allow Command Injections.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7257 HIGH

Linear eMerge E3-Series devices allow Unrestricted File Upload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7258 MEDIUM

Linear eMerge E3-Series devices allow Privilege Escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7259 MEDIUM

Linear eMerge E3-Series devices allow Authorization Bypass with Information Disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7260 MEDIUM

Linear eMerge E3-Series devices have Cleartext Credentials in a Database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7261 HIGH

Linear eMerge E3-Series devices have Hard-coded Credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7262 MEDIUM

Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7263 HIGH

Linear eMerge E3-Series devices have a Version Control Failure.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-18,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7264 HIGH

Linear eMerge E3-Series devices allow a Stack-based Buffer Overflow on the ARM platform.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7265 HIGH

Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_elite_firmware *
nortekcontrol linear_emerge_essential_firmware *
CVE-2019-7266 HIGH

Linear eMerge 50P/5000P devices allow Authentication Bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-565,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_5000p_firmware *
nortekcontrol linear_emerge_50p_firmware *
CVE-2019-7267 HIGH

Linear eMerge 50P/5000P devices allow Cookie Path Traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_5000p_firmware *
nortekcontrol linear_emerge_50p_firmware *
CVE-2019-7268 HIGH

Linear eMerge 50P/5000P devices allow Unauthenticated File Upload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_5000p_firmware *
nortekcontrol linear_emerge_50p_firmware *
CVE-2019-7269 HIGH

Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_5000p_firmware *
nortekcontrol linear_emerge_50p_firmware *
CVE-2019-7270 MEDIUM

Linear eMerge 50P/5000P devices allow Cross-Site Request Forgery (CSRF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_5000p_firmware *
nortekcontrol linear_emerge_50p_firmware *
CVE-2019-7271 MEDIUM

Nortek Linear eMerge 50P/5000P devices have Default Credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
nortekcontrol linear_emerge_5000p_firmware *
nortekcontrol linear_emerge_50p_firmware *
CVE-2022-31269

Nortek Linear eMerge E3-Series devices through 0.32-09c place admin credentials in /test.txt that allow an attacker to open a building's doors. (This occurs in situations where the CVE-2019-7271 default credentials have been changed.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N 3.9 4.2

Products Affected

Vendor Product Version
nortekcontrol emerge_e3_firmware *
CVE-2022-31499

Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
nortekcontrol emerge_e3_firmware *
CVE-2022-31798

Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
nortekcontrol emerge_e3_firmware *