|2017-01-12||Other||Carlo Gavazzi||Karn Ganeshen has reported these vulnerabilities.
||N/A||CVE-2017-5144 CVE-2017-5145 CVE-2017-5146 ||N/A||N/A||N/A|
# Carlo Gavazzi VMU-C EM and VMU-C PV
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
VMU-C EM, VMU-C PV
Karn Ganeshen has reported these vulnerabilities.
### AFFECTED PRODUCTS
Carlo Gavazzi reports that the vulnerabilities affect the following versions:
VMU-C EM prior to firmware Version A11_U05, and
VMU-C PV prior to firmware Version A17
Successful exploitation of these vulnerabilities could allow the attacker to execute configuration parameter changes and saving modified configuration.
### VULNERABILITY OVERVIEW
ACCESS CONTROL CWE 284
The access control flaw allows access to most application functions without authentication.
CVE-2017-5144 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CROSS-SITE REQUEST FORGERY (CSRF) CWE 352
Successful exploitation of this vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
CVE-2017-5145 has been assigned to this vulnerability.
A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
INFORMATION EXPOSURE CWE 200
Sensitive information stored in clear-text.
CVE-2017-5146 has been assigned to this vulnerability.
A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Carlo Gavazzi has created firmware updates that mitigate these vulnerabilities. Carlo Gavazzi recommends upgrading to the following firmware versions:
VMU-C EM A11_U05 for VMUC EM, and
VMU-C PV A17 for VMUC PV.
The relevant firmware versions are available either by means of the firmware update function embedded in the VMU-C or by downloading them from Carlo Gavazzi’s web site. Please open the link:
Click on “Select the Product.”
Choose “Web-Server” from the “FUNCTION” column.
A list including both VMU-C EM and VMU-C PV will appear.
select the target VMU-C model from the list.
From the “downloads” section on the right, click on the “Software” icon to start downloading the updated firmware package.