Vulnerabilities > CVE-2018-15486 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Kone Group Controller Firmware

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

kone

CWE-829

critical

NVD

Published: 2018-09-07

Updated: 2019-10-03

Summary

An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02.

Vulnerable Configurations

Part	Description	Count
OS	Kone Kone Group Controller Firmware -	1
Hardware	Kone Kone Group Controller -	1

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

Packetstorm

data source	https://packetstormsecurity.com/files/download/149252/konesgc-execlfidos.txt
id	PACKETSTORM:149252
last seen	2018-09-06
published	2018-09-06
reporter	Sebastian Neuner
source	https://packetstormsecurity.com/files/149252/KONE-KGC-4.6.4-DoS-Code-Execution-LFI-Bypass.html
title	KONE KGC 4.6.4 DoS / Code Execution / LFI / Bypass

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Packetstorm

References