CVE-2019-12254 CRITICAL

CVE-2019-12254: TECSON/GOK: Improper Authentication and Access Control on multiple devices

Vendor Tecson
Product e-litro net
Weakness CWE-287 · Improper authentication
Published May 6, 2022
Last update September 16, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.

Key dates

02Disclosure timeline

May 6, 2022 CVE published
September 16, 2024 Record updated