Ecava IntegraXor < 4.1.4369 Project Directory Information Disclosure

High Nessus Network Monitor Plugin ID 8397

Synopsis

A vulnerable version of Ecava IntegraXor has been detected.

Description

Ecava IntegraXor versions &lt; 4.1.4369 contain an information disclosure vulnerability. Project backup files can be accessed by bypassing file access restrictions with a specially crafted URL. Since credentials are stored in cleartext in certain project backup files, an attacker could use this information to possibly achieve remote code execution.

Solution

Upgrade to version 4.1.4369 or later.

See Also

http://www.nessus.org/u?063b0edb

http://www.integraxor.com/blog/category/security/vulnerability-note/

http://www.zerodayinitiative.com/advisories/ZDI-13-277/

https://ics-cert.us-cert.gov/advisories/ICSA-14-008-01

Plugin Details

Severity: High

ID: 8397

Family: SCADA

Published: 2014/09/19

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 72107

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ecava:integraxor

Patch Publication Date: 2013/12/21

Vulnerability Publication Date: 2013/12/15

Reference Information

CVE: CVE-2014-0752

BID: 64351