Search
Find a vulnerability
Search criteria
16 vulnerabilities found for weather_microserver_firmware by columbiaweather
CVE-2025-66620 (GCVE-0-2025-66620)
Vulnerability from nvd – Published: 2026-01-07 20:08 – Updated: 2026-01-07 20:16
VLAI
Title
Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory
Summary
An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-553 - Command Shell in Externally Accessible Directory
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Columbia Weather Systems | MicroServer |
Affected:
0 , < MS_4.1_14142
(custom)
|
Date Public
2026-01-06 18:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T20:15:31.661579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T20:16:28.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MicroServer",
"vendor": "Columbia Weather Systems",
"versions": [
{
"lessThan": "MS_4.1_14142",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "UsrPacific/Columbia Weather Systems reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-01-06T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(250, 250, 250);\"\u003eAn unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(250, 250, 250);\"\u003ewith admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system.\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-553",
"description": "CWE-553 Command Shell in Externally Accessible Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T20:08:33.137Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Columbia Weather Systems recommends users update the MicroServer \nfirmware to version MS_4.1_14142 or later. To obtain the update, users \nshould contact Columbia Weather Systems Support directly via email \n(support@columbiaweather.com) or phone (503-629-0887) for assistance.\n\n\n\n\u003cbr\u003e"
}
],
"value": "Columbia Weather Systems recommends users update the MicroServer \nfirmware to version MS_4.1_14142 or later. To obtain the update, users \nshould contact Columbia Weather Systems Support directly via email \n(support@columbiaweather.com) or phone (503-629-0887) for assistance."
}
],
"source": {
"advisory": "ICSA-26-006-01",
"discovery": "EXTERNAL"
},
"title": "Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66620",
"datePublished": "2026-01-07T20:08:33.137Z",
"dateReserved": "2025-12-08T19:17:55.938Z",
"dateUpdated": "2026-01-07T20:16:28.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61939 (GCVE-0-2025-61939)
Vulnerability from nvd – Published: 2026-01-07 19:56 – Updated: 2026-01-07 20:07
VLAI
Title
Columbia Weather Systems MicroServer Improper Restriction of Communication Channel to Intended Endpoints
Summary
An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Columbia Weather Systems | MicroServer |
Affected:
0 , < MS_4.1_14142
(custom)
|
Date Public
2026-01-06 18:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T20:07:25.547287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T20:07:45.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MicroServer",
"vendor": "Columbia Weather Systems",
"versions": [
{
"lessThan": "MS_4.1_14142",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "UsrPacific/Columbia Weather Systems reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-01-06T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.\u003c/span\u003e"
}
],
"value": "An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-923",
"description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T19:56:52.386Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Columbia Weather Systems recommends users update the MicroServer firmware to version MS_4.1_14142 or later. To obtain the update, users should contact Columbia Weather Systems Support directly via email (support@columbiaweather.com) or phone (503-629-0887) for assistance."
}
],
"value": "Columbia Weather Systems recommends users update the MicroServer firmware to version MS_4.1_14142 or later. To obtain the update, users should contact Columbia Weather Systems Support directly via email (support@columbiaweather.com) or phone (503-629-0887) for assistance."
}
],
"source": {
"advisory": "ICSA-26-006-01",
"discovery": "EXTERNAL"
},
"title": "Columbia Weather Systems MicroServer Improper Restriction of Communication Channel to Intended Endpoints",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-61939",
"datePublished": "2026-01-07T19:56:52.386Z",
"dateReserved": "2025-12-08T19:17:55.922Z",
"dateUpdated": "2026-01-07T20:07:45.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-18878 (GCVE-0-2018-18878)
Vulnerability from nvd – Published: 2019-06-18 14:03 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:03:35.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18878",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18878",
"datePublished": "2019-06-18T14:03:35.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18877 (GCVE-0-2018-18877)
Vulnerability from nvd – Published: 2019-06-18 14:26 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:26:17.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18877",
"datePublished": "2019-06-18T14:26:17.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18876 (GCVE-0-2018-18876)
Vulnerability from nvd – Published: 2019-06-18 14:27 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:27:40.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18876",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18876",
"datePublished": "2019-06-18T14:27:40.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18875 (GCVE-0-2018-18875)
Vulnerability from nvd – Published: 2019-06-18 14:29 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:29:39.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18875",
"datePublished": "2019-06-18T14:29:39.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18880 (GCVE-0-2018-18880)
Vulnerability from nvd – Published: 2019-06-18 13:20 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T13:20:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18880",
"datePublished": "2019-06-18T13:20:05.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18879 (GCVE-0-2018-18879)
Vulnerability from nvd – Published: 2019-06-18 14:00 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:00:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18879",
"datePublished": "2019-06-18T14:00:08.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-66620 (GCVE-0-2025-66620)
Vulnerability from cvelistv5 – Published: 2026-01-07 20:08 – Updated: 2026-01-07 20:16
VLAI
Title
Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory
Summary
An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-553 - Command Shell in Externally Accessible Directory
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Columbia Weather Systems | MicroServer |
Affected:
0 , < MS_4.1_14142
(custom)
|
Date Public
2026-01-06 18:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T20:15:31.661579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T20:16:28.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MicroServer",
"vendor": "Columbia Weather Systems",
"versions": [
{
"lessThan": "MS_4.1_14142",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "UsrPacific/Columbia Weather Systems reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-01-06T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(250, 250, 250);\"\u003eAn unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(250, 250, 250);\"\u003ewith admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system.\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-553",
"description": "CWE-553 Command Shell in Externally Accessible Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T20:08:33.137Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Columbia Weather Systems recommends users update the MicroServer \nfirmware to version MS_4.1_14142 or later. To obtain the update, users \nshould contact Columbia Weather Systems Support directly via email \n(support@columbiaweather.com) or phone (503-629-0887) for assistance.\n\n\n\n\u003cbr\u003e"
}
],
"value": "Columbia Weather Systems recommends users update the MicroServer \nfirmware to version MS_4.1_14142 or later. To obtain the update, users \nshould contact Columbia Weather Systems Support directly via email \n(support@columbiaweather.com) or phone (503-629-0887) for assistance."
}
],
"source": {
"advisory": "ICSA-26-006-01",
"discovery": "EXTERNAL"
},
"title": "Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66620",
"datePublished": "2026-01-07T20:08:33.137Z",
"dateReserved": "2025-12-08T19:17:55.938Z",
"dateUpdated": "2026-01-07T20:16:28.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61939 (GCVE-0-2025-61939)
Vulnerability from cvelistv5 – Published: 2026-01-07 19:56 – Updated: 2026-01-07 20:07
VLAI
Title
Columbia Weather Systems MicroServer Improper Restriction of Communication Channel to Intended Endpoints
Summary
An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Columbia Weather Systems | MicroServer |
Affected:
0 , < MS_4.1_14142
(custom)
|
Date Public
2026-01-06 18:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T20:07:25.547287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T20:07:45.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MicroServer",
"vendor": "Columbia Weather Systems",
"versions": [
{
"lessThan": "MS_4.1_14142",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "UsrPacific/Columbia Weather Systems reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-01-06T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.\u003c/span\u003e"
}
],
"value": "An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-923",
"description": "CWE-923 Improper Restriction of Communication Channel to Intended Endpoints",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T19:56:52.386Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Columbia Weather Systems recommends users update the MicroServer firmware to version MS_4.1_14142 or later. To obtain the update, users should contact Columbia Weather Systems Support directly via email (support@columbiaweather.com) or phone (503-629-0887) for assistance."
}
],
"value": "Columbia Weather Systems recommends users update the MicroServer firmware to version MS_4.1_14142 or later. To obtain the update, users should contact Columbia Weather Systems Support directly via email (support@columbiaweather.com) or phone (503-629-0887) for assistance."
}
],
"source": {
"advisory": "ICSA-26-006-01",
"discovery": "EXTERNAL"
},
"title": "Columbia Weather Systems MicroServer Improper Restriction of Communication Channel to Intended Endpoints",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-61939",
"datePublished": "2026-01-07T19:56:52.386Z",
"dateReserved": "2025-12-08T19:17:55.922Z",
"dateUpdated": "2026-01-07T20:07:45.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-18875 (GCVE-0-2018-18875)
Vulnerability from cvelistv5 – Published: 2019-06-18 14:29 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:29:39.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18875",
"datePublished": "2019-06-18T14:29:39.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18876 (GCVE-0-2018-18876)
Vulnerability from cvelistv5 – Published: 2019-06-18 14:27 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:27:40.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18876",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18876",
"datePublished": "2019-06-18T14:27:40.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18877 (GCVE-0-2018-18877)
Vulnerability from cvelistv5 – Published: 2019-06-18 14:26 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:26:17.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18877",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18877",
"datePublished": "2019-06-18T14:26:17.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18878 (GCVE-0-2018-18878)
Vulnerability from cvelistv5 – Published: 2019-06-18 14:03 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:03:35.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18878",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18878",
"datePublished": "2019-06-18T14:03:35.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18879 (GCVE-0-2018-18879)
Vulnerability from cvelistv5 – Published: 2019-06-18 14:00 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T14:00:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18879",
"datePublished": "2019-06-18T14:00:08.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18880 (GCVE-0-2018-18880)
Vulnerability from cvelistv5 – Published: 2019-06-18 13:20 – Updated: 2024-08-05 11:23
VLAI
Summary
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://applied-risk.com/labs/advisories | x_refsource_MISC |
| https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-18T13:20:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://applied-risk.com/labs/advisories"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://applied-risk.com/labs/advisories",
"refsource": "MISC",
"url": "https://applied-risk.com/labs/advisories"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18880",
"datePublished": "2019-06-18T13:20:05.000Z",
"dateReserved": "2018-10-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:23:08.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}