CVE-2019-12310

ExaGrid appliances with firmware version v4.8.1.1044.P50 have a /monitor/data/Upgrade/ directory traversal vulnerability, which allows remote attackers to view and retrieve verbose logging information. Files within this directory were observed to contain sensitive run-time information, including Base64 encoded 'support' credentials, leading to administrative access of the device.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
VendorProductVersion
exagridbackup_appliance_firmware
48.1.1044.p50:p50
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://exagrid.com/exagrid-products/resources/
https://www.inquisitllc.com/exagrid-directory-traversal-vulnerability-to-support-credential-extraction/
https://exagrid.com/exagrid-products/resources/
https://www.inquisitllc.com/exagrid-directory-traversal-vulnerability-to-support-credential-extraction/