Vulnerabilities > CVE-2019-6837 - Server-Side Request Forgery (SSRF) vulnerability in Schneider-Electric products

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

schneider-electric

CWE-918

critical

NVD

Published: 2019-09-17

Updated: 2022-11-30

Summary

A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could cause server configuration data to be exposed when an attacker modifies a URL.

Vulnerable Configurations

Part	Description	Count
OS	Schneider-Electric Schneider Electric Meg6501 0001 Firmware - Schneider Electric Meg6501 0001 Firmware 1.0 Schneider Electric Meg6501 0001 - Schneider Electric Meg6501 0002 Firmware - Schneider Electric Meg6501 0002 Firmware 1.0 Schneider Electric Meg6501 0002 - Schneider Electric Meg6260 0410 Firmware - Schneider Electric Meg6260 0410 Firmware 1.0 Schneider Electric Meg6260 0410 - Schneider Electric Meg6260 0415 Firmware - Schneider Electric Meg6260 0415 Firmware 1.0 Schneider Electric Meg6260 0415 -	12

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-253-01