Echelon SmartServer 2.2 with i.LON Vision 2.2 stores cleartext credentials in a file, which could allow an attacker to obtain cleartext usernames and passwords of the SmartServer. If the attacker obtains the file, then the credentials could be used to control the web user interface and file transfer protocol (FTP) server.
Metrics
CVSS Version: 3.1 |
Base Score: 6.3 MEDIUM Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* LOCAL Attack Complexity (AC)* LOW Privileges Required (PR)* HIGH User Interaction (UI)* NONE Scope (S)* UNCHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* LOW Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-798 CWE Name: CWE-798 Use of Hard-coded Credentials Source: EnOcean
Common Attack Pattern Enumeration and Classification (CAPEC)