Xovis Security Bulletin 2018-001

Description

Xovis PC-series sensors firmware through 3.6.0 allow Cross-Site Request Forgery (CSRF).

Vulnerability Details

The PC-series sensor firmware authenticates users in a way which makes CSRF requests possible.

Affected Products and Versions

All PC-series sensor firmware versions up to and including 3.6.0.

Remediation/Fixes

Apply the PC-series sensor firmware 3.7.0 or newer and disable legacy authentication.

Workarounds and Mitigations

If the default password(s) are changed, an attacker must first gain knowledge of a valid password.

References

• MITRE: CVE-2018-11718
• CVSS: 8.7

Acknowledgements

Xovis would like to thank Ayushman Dutta for responsibly reporting this vulnerability to protect our customers.

History

• 2018-08-29: CVE publication
• 2018-07-04: Fix released, notification of customers
• 2018-06-04: CVE ID assigned
• 2018-05-23: Vulnerability reported