1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable Remotely/Low attack complexity
- Vendor: Gessler GmbH
- Equipment: WEB-MASTER
- Vulnerabilities: Use of Weak Credentials, Use of Weak Hash
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Gessler GmbH WEB-MASTER, an emergency lighting management system, are affected:
- WEB-MASTER: version 7.9
3.2 Vulnerability Overview
3.2.1 USE OF WEAK CREDENTIALS CWE-1391
Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.
CVE-2024-1039 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 USE OF WEAK HASH CWE-328
Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.
CVE-2024-1040 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: