Details of VAR-202001-1488

ID

VAR-202001-1488

CVE

CVE-2019-10957

TITLE

Geutebruck IP Camera G-Code and G-Cam Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014195

DESCRIPTION

Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser. Geutebruck IP Camera G-Code and G-Cam Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. G-Cam is a web camera series launched by Geutebrück. G-Code is an analog video encoder launched by Geutebrück. Geutebrück G-Cam and G-Code have cross-site scripting vulnerabilities. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. Geutebruck G-Cam and G-Code are prone to an HTML-injection vulnerability and multiple OS command-injection vulnerabilities. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user and inject and execute arbitrary commands. Other attacks are also possible. The following products of Geutebruck are affected: G-Code EEC-2xxx version 1.12.0.25 and prior G-Cam EBC-21xx version 1.12.0.25 and prior G-Cam EFD-22xx version 1.12.0.25 and prior G-Cam ETHC-22xx version 1.12.0.25 and prior G-Cam EWPC-22xx version 1.12.0.25 and prior

Trust: 2.52

sources: NVD: CVE-2019-10957 // JVNDB: JVNDB-2019-014195 // CNVD: CNVD-2020-22347 // BID: 108579 // VULMON: CVE-2019-10957

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-22347

AFFECTED PRODUCTS

vendor:	geutebrueck	model:	g-code eec-2400	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ebc-2110	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam efd-2241	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2249	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2239	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ebc-2111	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam efd-2250	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2240	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ewpc-2270	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam efd-2240	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebrueck	model:	g-cam ethc-2230	scope:	lte	version:	1.12.0.25	Trust: 1.0
vendor:	geutebruck	model:	g-cam/efd-2240	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-code/eec-2400	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ebc-2111	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2230	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/efd-2241	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2240	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ebc-2110	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2249	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/ethc-2239	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam/efd-2250	scope:	-	version:	-	Trust: 0.8
vendor:	geutebruck	model:	g-cam	scope:	lte	version:	<=1.12.0.25	Trust: 0.6
vendor:	geutebruck	model:	g-code	scope:	lte	version:	<=1.12.0.25	Trust: 0.6
vendor:	geutebruck	model:	g-code/eec-2xxx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ewpc-22xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ethc-22xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/efd-22xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ebc-21xx	scope:	eq	version:	1.12.0.25	Trust: 0.3
vendor:	geutebruck	model:	g-code/eec-2xxx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ewpc-22xx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ethc-22xx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/efd-22xx	scope:	ne	version:	1.12.13.2	Trust: 0.3
vendor:	geutebruck	model:	g-cam/ebc-21xx	scope:	ne	version:	1.12.13.2	Trust: 0.3

sources: CNVD: CNVD-2020-22347 // BID: 108579 // JVNDB: JVNDB-2019-014195 // NVD: CVE-2019-10957

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10957
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-10957
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-22347
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201906-090
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2019-10957
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-10957
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2020-22347
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-10957
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-10957
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-22347 // VULMON: CVE-2019-10957 // JVNDB: JVNDB-2019-014195 // CNNVD: CNNVD-201906-090 // NVD: CVE-2019-10957

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2019-014195 // NVD: CVE-2019-10957

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-090

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-090

PATCH

title:	Top Page	url:	https://www.geutebrueck.com/	Trust: 0.8
title:	Patch for Geutebrück G-Cam and G-Code cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/213551	Trust: 0.6
title:	Multiple Geutebrück Fixes for product cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93179	Trust: 0.6

sources: CNVD: CNVD-2020-22347 // JVNDB: JVNDB-2019-014195 // CNNVD: CNNVD-201906-090

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10957	Trust: 4.2
db:	ICS CERT	id:	ICSA-19-155-03	Trust: 3.4
db:	BID	id:	108579	Trust: 0.9
db:	JVNDB	id:	JVNDB-2019-014195	Trust: 0.8
db:	CNVD	id:	CNVD-2020-22347	Trust: 0.6
db:	CNNVD	id:	CNNVD-201906-090	Trust: 0.6
db:	VULMON	id:	CVE-2019-10957	Trust: 0.1

sources: CNVD: CNVD-2020-22347 // VULMON: CVE-2019-10957 // BID: 108579 // JVNDB: JVNDB-2019-014195 // CNNVD: CNNVD-201906-090 // NVD: CVE-2019-10957

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-155-03	Trust: 2.5
url:	https://ics-cert.us-cert.gov/advisories/icsa-19-155-03	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10957	Trust: 1.4
url:	https://www.geutebrueck.com/en_en.html	Trust: 0.9
url:	https://www.securityfocus.com/bid/108579	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/162091	Trust: 0.1

sources: CNVD: CNVD-2020-22347 // VULMON: CVE-2019-10957 // BID: 108579 // JVNDB: JVNDB-2019-014195 // CNNVD: CNNVD-201906-090 // NVD: CVE-2019-10957

CREDITS

Romain Luyer and Guillaume Gronnier from CEIS, and Davy Douhine from RandoriSec reported these vulnerabilities to NCCIC., and Davy Douhine from RandoriSec, and Davy Douhine from RandoriSec., and Davy Douhine from RandoriSec reported these vulnerabilities to NCCIC

Trust: 0.6

sources: CNNVD: CNNVD-201906-090

SOURCES

db:	CNVD	id:	CNVD-2020-22347
db:	VULMON	id:	CVE-2019-10957
db:	BID	id:	108579
db:	JVNDB	id:	JVNDB-2019-014195
db:	CNNVD	id:	CNNVD-201906-090
db:	NVD	id:	CVE-2019-10957

LAST UPDATE DATE

2024-12-28T22:51:07.576000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-22347	date:	2020-04-12T00:00:00
db:	VULMON	id:	CVE-2019-10957	date:	2020-02-10T00:00:00
db:	BID	id:	108579	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-014195	date:	2024-12-27T03:08:00
db:	CNNVD	id:	CNNVD-201906-090	date:	2020-02-12T00:00:00
db:	NVD	id:	CVE-2019-10957	date:	2024-11-21T04:20:13.960

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-22347	date:	2020-04-12T00:00:00
db:	VULMON	id:	CVE-2019-10957	date:	2020-01-17T00:00:00
db:	BID	id:	108579	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-014195	date:	2020-02-06T00:00:00
db:	CNNVD	id:	CNNVD-201906-090	date:	2019-06-04T00:00:00
db:	NVD	id:	CVE-2019-10957	date:	2020-01-17T18:15:12.180