PT-2019-9015 · Phoenix Contact · Fl Switch 3Xxx+2
Evgeniy Druzhinin
+2
·
Published
2019-05-07
·
Updated
2020-08-24
·
CVE-2018-13992
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 through 1.34
Description
The WebUI of the affected devices allows for plaintext transmission of user credentials by default, which can be done over HTTP.
Recommendations
For versions 1.0 through 1.34, consider configuring the WebUI to use encrypted transmission, such as HTTPS, to protect user credentials. As a temporary workaround, restrict access to the WebUI to minimize the risk of exploitation.
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fl Switch 3Xxx
Fl Switch 48Xx
Fl Switch 4Xxx