CVE-2017-17974
Last modified
CVE-2017-17974 is a vulnerability of currently unknown severity. BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx, as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account.. EPSS estimates a 1.66% chance of exploitation in the next 30 days.
Description
BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx, as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account.
Metrics
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Basystems | Bas920 Firmware | 01.01.00 |
| Basystems | Isc2000 Firmware | 01.01.00 |
References
- http://misteralfa-hack.blogspot.cl/2017/12/ba-system-improper-access-control.htmlExploit, Third Party Advisory
- https://github.com/ezelf/baCK_systemThird Party Advisory
- http://misteralfa-hack.blogspot.cl/2017/12/ba-system-improper-access-control.htmlExploit, Third Party Advisory
- https://github.com/ezelf/baCK_systemThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-17974?
How severe is CVE-2017-17974?
How do I fix CVE-2017-17974?
Are you affected by CVE-2017-17974?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST