Advertisement






Fujitsu Eternus Storage DX200 S4 Broken Authentication

CVE Category Price Severity
CVE-2020-29127 CWE-287 $10,000 High
Author Risk Exploitation Type Date
Anonymous High Remote 2020-11-26
CPE
cpe:cpe:/h:fujitsu:eternus_storage_dx200_s4
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020110215

Below is a copy:

Fujitsu Eternus Storage DX200 S4 Broken Authentication
# Title: Fujitsu Eternus Storage DX200 S4 Broken Authentication
# Author: Seccops (https://seccops.com)
# Vendor Homepage: https://www.fujitsu.com/global/products/computing/storage/disk/eternus-dx/
# Version: Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25
# Classifications: OWASP: A2:2017-Broken Authentication, CWEs: CWE-287 & CWE-1028
# CVE: CVE-2020-29127


=== Description ===

An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI "cgi-bin/csp?cspid={XXXXXXXXXX}&csppage=cgi_PgOverview&csplang=en" is visited from a different web browser.

After logging into the portal with a "root" user using any web browser, the portal can be accessed with "root" privileges when the link (http://eternus/cgi-bin/csp?cspid={XXXXXXXXXX}&csppage=cgi_PgOverview&csplang=en) formed is entered from a different web browser.

Example: https://imgur.com/a/kuhCi04

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.