Details of VAR-201808-0126

ID

VAR-201808-0126

CVE

CVE-2017-12576

TITLE

PLANEX CS-QR20 Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-014283

DESCRIPTION

An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undocumented management page allows an attacker to execute arbitrary code on the device when the user is authenticated. The management page was used for debugging purposes, once you login and access the page directly (/admin/system_command.asp), you can execute any command. PLANEX CS-QR20 Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PLANEX is a Japanese online brand company (brands PCI and PLANEX). Provide products from enterprise customers to home customers (such as: network cards, routers, switches, L3 network management switches, accessories, Bluetooth products, print servers, Apple peripheral products, network storage devices, etc.). PLANEX CS-QR20 is a network camera product with night vision function produced by PLANEX Corporation of Japan. A security vulnerability exists in PLANEX CS-QR20 version 1.30

Trust: 2.25

sources: NVD: CVE-2017-12576 // JVNDB: JVNDB-2017-014283 // CNVD: CNVD-2018-15840 // VULHUB: VHN-103112

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-15840

AFFECTED PRODUCTS

vendor:

planex

model:

cs-qr20

scope:

version:

1.30

Trust: 3.0

sources: CNVD: CNVD-2018-15840 // JVNDB: JVNDB-2017-014283 // CNNVD: CNNVD-201708-174 // NVD: CVE-2017-12576

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12576
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-12576
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-15840
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201708-174
value:	HIGH
Trust: 0.6
VULHUB:	VHN-103112
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-12576
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-15840
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-103112
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12576
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-15840 // VULHUB: VHN-103112 // JVNDB: JVNDB-2017-014283 // CNNVD: CNNVD-201708-174 // NVD: CVE-2017-12576

PROBLEMTYPE DATA

problemtype:	CWE-668	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-103112 // JVNDB: JVNDB-2017-014283 // NVD: CVE-2017-12576

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-174

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201708-174

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014283

PATCH

title:	スマカメナイトビジョン CS-QR20	url:	http://www.planex.co.jp/products/cs-qr20/index.shtml	Trust: 0.8
title:	PLANEXCS-QR20 patch for arbitrary code execution vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/138185	Trust: 0.6

sources: CNVD: CNVD-2018-15840 // JVNDB: JVNDB-2017-014283

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12576	Trust: 3.1
db:	JVNDB	id:	JVNDB-2017-014283	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-174	Trust: 0.7
db:	CNVD	id:	CNVD-2018-15840	Trust: 0.6
db:	PACKETSTORM	id:	149062	Trust: 0.1
db:	VULHUB	id:	VHN-103112	Trust: 0.1

sources: CNVD: CNVD-2018-15840 // VULHUB: VHN-103112 // JVNDB: JVNDB-2017-014283 // CNNVD: CNNVD-201708-174 // NVD: CVE-2017-12576

REFERENCES

url:	http://seclists.org/fulldisclosure/2018/aug/27	Trust: 3.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12576	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12576	Trust: 0.8

sources: CNVD: CNVD-2018-15840 // VULHUB: VHN-103112 // JVNDB: JVNDB-2017-014283 // CNNVD: CNNVD-201708-174 // NVD: CVE-2017-12576

SOURCES

db:	CNVD	id:	CNVD-2018-15840
db:	VULHUB	id:	VHN-103112
db:	JVNDB	id:	JVNDB-2017-014283
db:	CNNVD	id:	CNNVD-201708-174
db:	NVD	id:	CVE-2017-12576

LAST UPDATE DATE

2024-11-23T22:45:15.672000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-15840	date:	2018-08-22T00:00:00
db:	VULHUB	id:	VHN-103112	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2017-014283	date:	2018-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201708-174	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-12576	date:	2024-11-21T03:09:47.190

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-15840	date:	2018-08-22T00:00:00
db:	VULHUB	id:	VHN-103112	date:	2018-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-014283	date:	2018-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201708-174	date:	2017-08-07T00:00:00
db:	NVD	id:	CVE-2017-12576	date:	2018-08-24T19:29:00.907