CVE-2019-7590
Severity CVSS v4.0:
Pending analysis
Type:
CWE-428
Unquoted Search Path or Element
Publication date:
19/07/2019
Last modified:
10/02/2020
Description
ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Base Score 2.0
4.60
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:johnsoncontrols:exacqvision_server:9.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:johnsoncontrols:exacqvision_server:9.8:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.securityfocus.com/bid/109307
- https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
- https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.us-cert.gov/ics/advisories/icsa-19-199-01
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php