Pb610 Panel Builder 600 Firmware
CVE-2019-7228
HIGH
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The ABB IDAL HTTP server mishandles format strings in a username or cookie during the authentication process. Attempting to authenticate with the username %25s%25p%25x%25n will crash the server. Sending %08x.AAAA.%08x.%08x will log memory content from the stack.
AnalysisAI
The ABB IDAL HTTP server mishandles format strings in a username or cookie during the authentication process. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-134. The ABB IDAL HTTP server mishandles format strings in a username or cookie during the authentication process. Attempting to authenticate with the username %25s%25p%25x%25n will crash the server. Sending %08x.AAAA.%08x.%08x will log memory content from the stack. Affected products include: Abb Pb610 Panel Builder 600 Firmware.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication a
The ABB IDAL HTTP server is vulnerable to a buffer overflow when a long Host header is sent in a web request. Rated high
The ABB IDAL FTP server mishandles format strings in a username during the authentication process. Rated high severity (
In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD .
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. Rate
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today