CVE-2019-13933

Name of the Vulnerable Software and Affected Versions SCALANCE X204RNA (HSR) SCALANCE X204RNA (PRP) SCALANCE X204RNA EEC (HSR) SCALANCE X204RNA EEC (PRP) SCALANCE X204RNA EEC (PRP/HSR) SCALANCE X302-7 EEC (230V) SCALANCE X302-7 EEC (230V, coated) SCALANCE X302-7 EEC (24V) SCALANCE X302-7 EEC (24V, coated) SCALANCE X302-7 EEC (2x 230V) SCALANCE X302-7 EEC (2x 230V, coated) SCALANCE X302-7 EEC (2x 24V) SCALANCE X302-7 EEC (2x 24V, coated) SCALANCE X304-2FE SCALANCE X306-1LD FE SCALANCE X307-2 EEC (230V) SCALANCE X307-2 EEC (230V, coated) SCALANCE X307-2 EEC (24V) SCALANCE X307-2 EEC (24V, coated) SCALANCE X307-2 EEC (2x 230V) SCALANCE X307-2 EEC (2x 230V, coated) SCALANCE X307-2 EEC (2x 24V) SCALANCE X307-2 EEC (2x 24V, coated) SCALANCE X307-3 SCALANCE X307-3LD SCALANCE X308-2 SCALANCE X308-2LD SCALANCE X308-2LH SCALANCE X308-2LH+ SCALANCE X308-2M SCALANCE X308-2M PoE SCALANCE X308-2M TS SCALANCE X310 SCALANCE X310FE SCALANCE X320-1 FE SCALANCE X320-1-2LD FE SCALANCE X408-2 SCALANCE XR324-12M (230V, ports on front) SCALANCE XR324-12M (230V, ports on rear) SCALANCE XR324-12M (24V, ports on front) SCALANCE XR324-12M (24V, ports on rear) SCALANCE XR324-12M TS (24V) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) SCALANCE XR324-4M EEC (24V, ports on front) SCALANCE XR324-4M EEC (24V, ports on rear) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) SCALANCE XR324-4M EEC (2x 24V, ports on front) SCALANCE XR324-4M EEC (2x 24V, ports on rear) SCALANCE XR324-4M PoE (230V, ports on front) SCALANCE XR324-4M PoE (230V, ports on rear) SCALANCE XR324-4M PoE (24V, ports on front) SCALANCE XR324-4M PoE (24V, ports on rear) SCALANCE XR324-4M PoE TS (24V, ports on front) SIPLUS NET SCALANCE X308-2

Description The vulnerability allows an unauthenticated attacker to violate access-control rules by sending a GET request to a specific uniform resource locator on the web configuration interface of the device. This could enable an attacker with network access to obtain sensitive information or change the device configuration. The vulnerability is related to the absence of authentication for a critical function in the web interface of the affected devices. At the time of advisory publication, no public exploitation of this security issue was known.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.