Strix
26.1K

CVE-2019-13523

MEDIUMCVSS 5.3/10EPSS 1.83%

Last modified

CVE-2019-13523 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. EPSS estimates a 1.83% chance of exploitation in the next 30 days.

Description

In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
1.83%

76.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
HoneywellHbd3pr2 FirmwareAll versions
HoneywellH4d3prv3 FirmwareAll versions
HoneywellHed3pr3 FirmwareAll versions
HoneywellH4d3prv2 FirmwareAll versions
HoneywellHbd3pr1 FirmwareAll versions
HoneywellH4w8pr2 FirmwareAll versions
HoneywellHbw8pr2 FirmwareAll versions
HoneywellH2w2pc1m FirmwareAll versions
HoneywellH2w4per3 FirmwareAll versions
HoneywellH2w2per3 FirmwareAll versions
HoneywellHew2per3 FirmwareAll versions
HoneywellHew4per3b FirmwareAll versions
HoneywellHbw2per1 FirmwareAll versions
HoneywellHew4per2 FirmwareAll versions
HoneywellHew4per2b FirmwareAll versions
HoneywellHew2per2 FirmwareAll versions
HoneywellH4w2per2 FirmwareAll versions
HoneywellHbw2per2 FirmwareAll versions
HoneywellH4w2per3 FirmwareAll versions
HoneywellHpw2p1 FirmwareAll versions
HoneywellHen08104 FirmwareAll versions
HoneywellHen08144 FirmwareAll versions
HoneywellHen081124 FirmwareAll versions
HoneywellHen16104 FirmwareAll versions
HoneywellHen16144 FirmwareAll versions
HoneywellHen16184 FirmwareAll versions
HoneywellHen16204 FirmwareAll versions
HoneywellHen162244 FirmwareAll versions
HoneywellHen16284 FirmwareAll versions
HoneywellHen16304 FirmwareAll versions
HoneywellHen16384 FirmwareAll versions
HoneywellHen32104 FirmwareAll versions
HoneywellHen321124 FirmwareAll versions
HoneywellHen32204 FirmwareAll versions
HoneywellHen32284 FirmwareAll versions
HoneywellHen322164 FirmwareAll versions
HoneywellHen32304 FirmwareAll versions
HoneywellHen32384 FirmwareAll versions
HoneywellHen323164 FirmwareAll versions
HoneywellHen64204 FirmwareAll versions
HoneywellHen64304 FirmwareAll versions
HoneywellHen643164 FirmwareAll versions
HoneywellHen643324 FirmwareAll versions
HoneywellHen643484 FirmwareAll versions
HoneywellHen04103 FirmwareAll versions
HoneywellHen04113 FirmwareAll versions
HoneywellHen04123 FirmwareAll versions
HoneywellHen08103 FirmwareAll versions
HoneywellHen08113 FirmwareAll versions
HoneywellHen08123 FirmwareAll versions

Showing 50 of 59 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-13523?
In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L.
How severe is CVE-2019-13523?
CVE-2019-13523 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.83% probability of exploitation in the next 30 days.
How do I fix CVE-2019-13523?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-13523?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST