CVE-2015-7907 HIGH

Published: 2015-12-21 | Last Modified: 2026-06-17 | Status: Modified

Description

Directory traversal vulnerability in the web server on Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detectors before 2.13b3 allows remote attackers to bypass authentication, and write to a configuration file or trigger a calibration or test, via unspecified vectors.

Additional Descriptions (1)

Vulnerabilidad de salto de directorio en el servidor web en los detectores de gas de Honeywell Midas en versiones anteriores a 1.13b3 y en detectores de gas de Midas Black en versiones anteriores a 2.13b3 permite a atacantes remotos eludir la autenticación y escribir a un archivo de configuración o desencadenar una calibración o una prueba a través de vectores no especificados.

CVSS Metrics

Base Score: 6.4 (MEDIUM)

AV:N/AC:L/Au:N/C:N/I:P/A:P

Access Vector	NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	NONE
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 4.9

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-22

Affected Products

Vendor	Product	Version	Update	Type
honeywell	midas_black_firmware	*	<built-in method update of dict object at 0x7c3c476bd0c0>	Operating System
honeywell	midas_firmware	*	<built-in method update of dict object at 0x7c3c40dd5640>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:honeywell:midas_black_firmware::::::::`
Yes	`cpe:2.3:o:honeywell:midas_firmware::::::::`

References

https://ics-cert.us-cert.gov/advisories/ICSA-15-309-02
Source: [email protected]

Third Party Advisory US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-15-309-02
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory US Government Resource