VAR-201608-0084
Vulnerability from variot - Updated: 2025-04-13 23:21Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040 allow remote attackers to hijack the authentication of arbitrary users. These vulnerabilities may be leveraged to gain complete control of affected devices. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA. A remote attacker could exploit this vulnerability to perform unauthorized operations
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201608-0084",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dm-txrx-100-str",
"scope": "lte",
"trust": 1.0,
"vendor": "crestron",
"version": "1.2866.00026"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "crestron",
"version": null
},
{
"model": "dm-txrx-100-str",
"scope": null,
"trust": 0.8,
"vendor": "crestron",
"version": null
},
{
"model": "dm-txrx-100-str",
"scope": "lte",
"trust": 0.8,
"vendor": "crestron",
"version": "1.3039.00040"
},
{
"model": "dm-txrx-100-str",
"scope": "eq",
"trust": 0.6,
"vendor": "crestron",
"version": "1.2866.00026"
},
{
"model": "electronics dm-txrx-100-str",
"scope": "eq",
"trust": 0.3,
"vendor": "crestron",
"version": "1.2866.00026"
},
{
"model": "electronics dm-txrx-100-str",
"scope": "ne",
"trust": 0.3,
"vendor": "crestron",
"version": "1.3039.00040"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#974424"
},
{
"db": "BID",
"id": "92211"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:crestron:dm-txrx-100-str",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:crestron:dm-txrx-100-str_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Carsten Eiram of Risk Based Security",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
}
],
"trust": 0.6
},
"cve": "CVE-2016-5671",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2016-5671",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-94490",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2016-5671",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-5671",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2016-5671",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201608-008",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-94490",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-94490"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040 allow remote attackers to hijack the authentication of arbitrary users. These vulnerabilities may be leveraged to gain complete control of affected devices. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities:\n1. Multiple authentication-bypass vulnerabilities\n2. Multiple security-bypass vulnerabilities\n3. A cross-site request-forgery vulnerability\nAn attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. \nCrestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA. A remote attacker could exploit this vulnerability to perform unauthorized operations",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-5671"
},
{
"db": "CERT/CC",
"id": "VU#974424"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "BID",
"id": "92211"
},
{
"db": "VULHUB",
"id": "VHN-94490"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#974424",
"trust": 3.6
},
{
"db": "NVD",
"id": "CVE-2016-5671",
"trust": 2.8
},
{
"db": "BID",
"id": "92211",
"trust": 1.4
},
{
"db": "JVN",
"id": "JVNVU93291811",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-94490",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#974424"
},
{
"db": "VULHUB",
"id": "VHN-94490"
},
{
"db": "BID",
"id": "92211"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"id": "VAR-201608-0084",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-94490"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-13T23:21:06.826000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "DM-TXRX-100-STR",
"trust": 0.8,
"url": "https://www.crestron.com/downloads/pdf/spec_sheets/commercial_and_residential/dm-txrx-100-str.pdf"
},
{
"title": "Resource Library",
"trust": 0.8,
"url": "http://www.crestron.com/resources/resource-library/firmware"
},
{
"title": "Crestron Electronics DM-TXRX-100-STR Fixes for cross-site request forgery vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63409"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-94490"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://www.kb.cert.org/vuls/id/974424"
},
{
"trust": 1.1,
"url": "https://www.crestron.com/downloads/pdf/spec_sheets/commercial_and_residential/dm-txrx-100-str.pdf"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/92211"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/603.html"
},
{
"trust": 0.8,
"url": "http://cwe.mitre.org/data/definitions/425.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/321.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/255.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/352.html"
},
{
"trust": 0.8,
"url": "https://www.crestron.com/resources/resource-library/firmware"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5671"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu93291811/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5671"
},
{
"trust": 0.8,
"url": "http://www.kb.cert.org/vuls/id/bluu-a9cmty"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#974424"
},
{
"db": "VULHUB",
"id": "VHN-94490"
},
{
"db": "BID",
"id": "92211"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#974424"
},
{
"db": "VULHUB",
"id": "VHN-94490"
},
{
"db": "BID",
"id": "92211"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-08-01T00:00:00",
"db": "CERT/CC",
"id": "VU#974424"
},
{
"date": "2016-08-03T00:00:00",
"db": "VULHUB",
"id": "VHN-94490"
},
{
"date": "2016-08-01T00:00:00",
"db": "BID",
"id": "92211"
},
{
"date": "2016-08-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"date": "2016-08-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"date": "2016-08-03T01:59:10.117000",
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-08-01T00:00:00",
"db": "CERT/CC",
"id": "VU#974424"
},
{
"date": "2016-08-16T00:00:00",
"db": "VULHUB",
"id": "VHN-94490"
},
{
"date": "2016-08-01T00:00:00",
"db": "BID",
"id": "92211"
},
{
"date": "2016-08-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004135"
},
{
"date": "2016-08-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201608-008"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2016-5671"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#974424"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201608-008"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…