CODESYS WAGO WebVisu Password Information Disclosure Vulnerability

medium Nessus Plugin ID 77377

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

The remote host is running a vulnerable version of CODESYS WebVisu on a WAGO Application controller. By sending a specially crafted request, it is possible to extract password information for users on the device.

Solution

The vendor has not yet provided a solution. As a workaround, delete the 'webvisu.jar' file in the plc directory.

See Also

http://www.nessus.org/u?a5a0dfdc

Plugin Details

Severity: Medium

ID: 77377

File Name: scada_codesys_webvisu_2_3_9_44.nbin

Version: Revision

Type: remote

Family: SCADA

Published: 8/25/2014

Updated: 8/25/2014

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:3s-smart_software_solutions:codesys_webvisu

Required KB Items: installed_sw/CODESYS WebVisu

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/10/2014

Reference Information

BID: 68485