Vulnerabilities > CVE-2016-8366 - Credentials Management vulnerability in Phoenixcontact ILC Plcs Firmware

CVSS 7.3 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

LOW

network

low complexity

phoenixcontact

CWE-255

exploit available

NVD

Published: 2018-04-05

Updated: 2018-10-13

Summary

Webvisit in Phoenix Contact ILC PLCs offers a password macro to protect HMI pages on the PLC against casual or coincidental opening of HMI pages by the user. The password macro can be configured in a way that the password is stored and transferred in clear text.

Vulnerable Configurations

Part	Description	Count
OS	Phoenixcontact Phoenixcontact ILC Plcs Firmware -	1
Hardware	Phoenixcontact Phoenixcontact ILC Plcs -	1

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Exploit-Db

description	Phoenix Contact WebVisit 6.40.00 - Password Disclosure. CVE-2016-8366. Webapps exploit for Hardware platform
file	exploits/hardware/webapps/45586.py
id	EDB-ID:45586
last seen	2018-10-11
modified	2018-10-11
platform	hardware
port
published	2018-10-11
reporter	Exploit-DB
source	https://www.exploit-db.com/download/45586/
title	Phoenix Contact WebVisit 6.40.00 - Password Disclosure
type	webapps

Packetstorm

data source	https://packetstormsecurity.com/files/download/149763/phoenixcontactwebvisit64000-disclose.txt
id	PACKETSTORM:149763
last seen	2018-10-12
published	2018-10-11
reporter	Deneut Tijl
source	https://packetstormsecurity.com/files/149763/Phoenix-Contact-WebVisit-6.40.00-Password-Disclosure.html
title	Phoenix Contact WebVisit 6.40.00 Password Disclosure

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References