CVE-2017-7240
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
24/03/2017
Last modified:
20/04/2025
Description
An issue was discovered on Miele Professional PST10 devices. The corresponding embedded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 before 2.12, PG8527 devices 2.51 before 2.61, PG8527 devices 2.52 before 2.62, PG8527 devices 2.54 before 2.64, PG8528 devices 2.02 before 2.12, PG8528 devices 2.51 before 2.61, PG8528 devices 2.52 before 2.62, PG8528 devices 2.54 before 2.64, PG8535 devices 1.00 before 1.10, PG8535 devices 1.04 before 1.14, PG8536 devices 1.10 before 1.20, and PG8536 devices 1.14 before 1.24.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:miele_professional:pst10_webserver:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:miele_professional:pg_8528:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://seclists.org/fulldisclosure/2017/Mar/63
- http://www.securityfocus.com/bid/97080
- https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01
- https://www.exploit-db.com/exploits/41718/
- https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm
- http://seclists.org/fulldisclosure/2017/Mar/63
- http://www.securityfocus.com/bid/97080
- https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01
- https://www.exploit-db.com/exploits/41718/
- https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm