Details of VAR-201909-0756

ID

VAR-201909-0756

CVE

CVE-2019-16645

TITLE

Embedthis GoAhead Injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-009589

DESCRIPTION

An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack. Embedthis GoAhead There is an injection vulnerability in.Information may be tampered with. Embedthis Software GoAhead is an embedded Web server of American Embedthis Software company. A security vulnerability exists in Embedthis Software GoAhead version 2.5.0

Trust: 1.71

sources: NVD: CVE-2019-16645 // JVNDB: JVNDB-2019-009589 // VULHUB: VHN-148812

AFFECTED PRODUCTS

vendor:	embedthis	model:	goahead	scope:	eq	version:	2.5.0	Trust: 1.8
vendor:	embedthis	model:	goahead	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-009589 // NVD: CVE-2019-16645

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-16645
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-16645
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201909-1005
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148812
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-16645
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-148812
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-16645
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.1
Trust: 1.0
NVD:	CVE-2019-16645
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-148812 // JVNDB: JVNDB-2019-009589 // CNNVD: CNNVD-201909-1005 // NVD: CVE-2019-16645

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.1
problemtype:	injection (CWE-74) [NVD evaluation ]	Trust: 0.8
problemtype:	CWE-74	Trust: 0.1

sources: VULHUB: VHN-148812 // JVNDB: JVNDB-2019-009589 // NVD: CVE-2019-16645

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1005

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-1005

PATCH

title:

Top Page

url:

https://www.embedthis.com/

Trust: 0.8

sources: JVNDB: JVNDB-2019-009589

EXTERNAL IDS

db:	NVD	id:	CVE-2019-16645	Trust: 3.3
db:	PACKETSTORM	id:	154652	Trust: 1.7
db:	JVN	id:	JVNVU92569237	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-009589	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-1005	Trust: 0.7
db:	EXPLOIT-DB	id:	47439	Trust: 0.6
db:	VULHUB	id:	VHN-148812	Trust: 0.1

sources: VULHUB: VHN-148812 // JVNDB: JVNDB-2019-009589 // CNNVD: CNNVD-201909-1005 // NVD: CVE-2019-16645

REFERENCES

url:	https://github.com/ramikan/vulnerabilities/blob/master/goahead%20web%20server%20http%20header%20injection	Trust: 2.5
url:	http://packetstormsecurity.com/files/154652/goahead-2.5.0-host-header-injection.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-16645	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu92569237/index.html	Trust: 0.8
url:	https://www.exploit-db.com/exploits/47439	Trust: 0.6

sources: VULHUB: VHN-148812 // JVNDB: JVNDB-2019-009589 // CNNVD: CNNVD-201909-1005 // NVD: CVE-2019-16645

CREDITS

Ramikan

Trust: 0.6

sources: CNNVD: CNNVD-201909-1005

SOURCES

db:	VULHUB	id:	VHN-148812
db:	JVNDB	id:	JVNDB-2019-009589
db:	CNNVD	id:	CNNVD-201909-1005
db:	NVD	id:	CVE-2019-16645

LAST UPDATE DATE

2024-08-14T12:23:08.890000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148812	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-009589	date:	2023-05-11T08:50:00
db:	CNNVD	id:	CNNVD-201909-1005	date:	2020-09-02T00:00:00
db:	NVD	id:	CVE-2019-16645	date:	2020-08-24T17:37:01.140

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148812	date:	2019-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-009589	date:	2019-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201909-1005	date:	2019-09-20T00:00:00
db:	NVD	id:	CVE-2019-16645	date:	2019-09-20T19:15:11.860