CVE-2019-5135

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).

Published: Mar 11, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-5135
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-327

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
wago / pfc200_firmware	03.00.39(12)	03.00.39(12).x
wago / pfc200_firmware	03.01.07(13)	03.01.07(13).x
wago / pfc100_firmware	03.00.39(12)	03.00.39(12).x

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0924

Vulnerability Database

289,784

CVE-2019-5135