CVE-2019-15654
Last modified
CVE-2019-15654 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. EPSS estimates a 1.55% chance of exploitation in the next 30 days.
Description
Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Comba | Ac2400 Firmware | All versions |
References
- https://www.comba-telecom.com/en/newsVendor Advisory
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26164Exploit, Third Party Advisory
- https://www.comba-telecom.com/en/newsVendor Advisory
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26164Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-15654?
How severe is CVE-2019-15654?
How do I fix CVE-2019-15654?
Are you affected by CVE-2019-15654?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST