CVE-2019-9105

EUVD-2019-18490
The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
saettebe_small_firmware
05.01:1137
saetwebapp
04.68
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://members.backbox.org/saet-tebe-small-supervisor-multiple-vulnerabilities/
https://www.saet.org/wp-content/uploads/2017/04/Depliant_TEBE-TEBE_Small.pdf
https://members.backbox.org/saet-tebe-small-supervisor-multiple-vulnerabilities/
https://www.saet.org/wp-content/uploads/2017/04/Depliant_TEBE-TEBE_Small.pdf