ControlByWeb released new firmware to mitigate an improper authentication and cross-site scripting vulnerabilities in its X-320M, according to a report with NCCIC.
Successful exploitation of these vulnerabilities may allow arbitrary code execution and could cause the device being accessed to require a physical factory reset to restore the device to an operational state.
A web-enabled weather station X-320M-I firmware revision v1.05 and prior suffer from the remotely exploitable vulnerability, discovered by John Elder and Tom Westenberg of Applied Risk.
In one vulnerability, the software does not properly prove or insufficiently prove a claim to be correct, which may allow an attacker to cause a denial of service condition.
CVE-2018-18881 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, the software does not properly validate input, which may allow arbitrary code to be executed.
CVE-2018-18882 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.
The product sees action mainly in the information technology sector. It also sees use on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
ControlByWeb released a firmware update to address the vulnerabilities found on the X-320M.
Click here for additional ControlByWeb support information.