Insertion of Sensitive Information Into Sent Data vulnerability on CIRCUTOR Q-SMT
An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established.
Description: CWE-201: Insertion of Sensitive Information Into Sent Data
Metrics
Version
Base score
Base severity
Vector
3.1
8.0
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version:3.1
Base score:8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC ID
Description
Solutions
CIRCUTOR Q-SMT, in its firmware version 1.0.5, effectively solved the potential threat. CIRCUTOR made the new version available to its customers privately and strongly recommends them to keep their equipment updated.