Incorrect Authorization Vulnerability in U.motion Server by Schneider Electric
CVE-2019-6838

6.5MEDIUM

Key Information:

Vendor: Schneider Electric
Status: U.motion Servers (meg6501-0001 - U.motion Knx Server, Meg6501-0002 - U.motion Knx Server Plus, Meg6260-0410 - U.motion Knx Server Plus, Touch 10, And Meg6260-0415 - U.motion Knx Server Plus, Touch 1)
Vendor: CVE Published:; 17 September 2019

Summary

An incorrect authorization vulnerability in U.motion Server allows users with limited privileges to delete critical files. This misconfiguration could lead to severe consequences within the system operations, as unauthorized users gain access to functionalities that should be restricted. The affected models include various versions of the U.motion KNX server, which are widely used in automation systems, highlighting the importance of applying security updates and ensuring proper access controls.

Affected Version(s)

U.motion Servers (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, and MEG6260-0415 - U.motion KNX Server Plus, Touch 1) U.motion Servers (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, and MEG6260-0415 - U.motion KNX Server Plus, Touch 1)

References

https://www.se.com/ww/en/download/document/SEVD-2019-253-01/

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 17, 2019
Vulnerability Reserved
Jan 25, 2019