PT-2020-13037 · Vpncrypt · Vpncrypt M10

Published

2020-08-12

Updated

2021-07-21

CVE-2020-12106

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions VPNCrypt M10 version 2.6.5

Description The issue concerns the Web portal of the WiFi module, which allows unauthenticated users to send HTTP POST requests to critical administrative functions. This includes changing credentials of the Administrator account or connecting the product to a rogue access point.

Recommendations For VPNCrypt M10 version 2.6.5, consider restricting access to the Web portal of the WiFi module to prevent unauthenticated users from sending HTTP POST requests to administrative functions until a patch is available. As a temporary workaround, limit the ability to change Administrator account credentials and prevent connections to unknown access points.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2020-12106

Affected Products

Vpncrypt M10

PT-2020-13037 · Vpncrypt · Vpncrypt M10

CVE-2020-12106

Weakness Enumeration

Related Identifiers

Affected Products

References · 4