CVE-2019-9105

The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call.

Published: Jun 1, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-9105
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
saet / tebe_small_firmware	05.01-1137	05.01-1137.x
saet / webapp	04.68	04.68.x

https://members.backbox.org/saet-tebe-small-supervisor-multiple-vulnerabilities/
https://www.saet.org/wp-content/uploads/2017/04/Depliant_TEBE-TEBE_Small.pdf

Vulnerability Database

CVE-2019-9105