CVE-2016-2296

Published on: 05/14/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:15 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Certain versions of Web\'log Basic 100 from Meteocontrol contain the following vulnerability:

Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.

  • CVE-2016-2296 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.4 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH LOW

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Meteocontrol WEB’log - Admin Password Disclosure (Metasploit) www.exploit-db.com
Proof of Concept
text/html
URL Logo EXPLOIT-DB 39822
Full Disclosure: [ICS] Meteocontrol WEB’log Multiple Vulnerabilities seclists.org
text/html
URL Logo FULLDISC 20160517 [ICS] Meteocontrol WEB'log Multiple Vulnerabilities
Meteocontrol WEB'log Vulnerabilities (Update A) | ICS-CERT Third Party Advisory
US Government Resource
ics-cert.us-cert.gov
text/html
URL Logo MISC ics-cert.us-cert.gov/advisories/ICSA-16-133-01

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationMeteocontrolWeb\'log Basic 100-AllAllAll
ApplicationMeteocontrolWeb\'log Basic 100-AllAllAll
ApplicationMeteocontrolWeb\'log Light-AllAllAll
ApplicationMeteocontrolWeb\'log Light-AllAllAll
ApplicationMeteocontrolWeb\'log Pro-AllAllAll
ApplicationMeteocontrolWeb\'log Pro-AllAllAll
ApplicationMeteocontrolWeb\'log Pro Unlimited-AllAllAll
ApplicationMeteocontrolWeb\'log Pro Unlimited-AllAllAll
  • cpe:2.3:a:meteocontrol:web\'log_basic_100:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_basic_100:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_light:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_light:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_pro:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_pro:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_pro_unlimited:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:meteocontrol:web\'log_pro_unlimited:-:*:*:*:*:*:*:*: