CVE-2019-9663

Name of the Vulnerable Software and Affected Versions Eltex switch web server (affected versions not specified)

Description The issue exists due to the lack of length checks for the restoreUrl, errorCollector, userName$query, and password$query parameters in authorization requests. This can be exploited by a remote attacker to cause a denial of service using a specially crafted POST request to the "/config/log off page.htm" API endpoint.

Recommendations As a temporary workaround, consider restricting access to the "/config/log off page.htm" API endpoint until a patch is available. Avoid using the parameters restoreUrl, errorCollector, userName$query, and password$query in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.