CVE-2013-4732 - Vulnerability Details

Vendors	Products
Digital Alert Systems	Dasdec Eas
Monroe Electronics	R189 One-net Eas

Link	Providers
http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf
http://www.kb.cert.org/vuls/id/662676
http://www.kb.cert.org/vuls/id/AAMN-98MU7H
http://www.kb.cert.org/vuls/id/AAMN-98MUK2
http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network.  NOTE: VU#662676 states \"Monroe Electronics could not reproduce this finding."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-06-29T21:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"}, {"tags": ["x_refsource_MISC"], "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"}, {"name": "VU#662676", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/662676"}, {"tags": ["x_refsource_MISC"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"}, {"tags": ["x_refsource_MISC"], "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-4732", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network.  NOTE: VU#662676 states \"Monroe Electronics could not reproduce this finding.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H", "refsource": "MISC", "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"}, {"name": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf", "refsource": "MISC", "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"}, {"name": "VU#662676", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/662676"}, {"name": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2", "refsource": "MISC", "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"}, {"name": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf", "refsource": "MISC", "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:52:27.001Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"}, {"name": "VU#662676", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/662676"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-4732", "datePublished": "2013-06-29T21:00:00Z", "dateReserved": "2013-06-29T00:00:00Z", "dateUpdated": "2024-09-16T17:54:12.663Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2013-06-29T21:00:00Z (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MU7H (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf (string)

}

2 : { »

name : VU#662676 (string)

tags : [ »

0 : third-party-advisory (string)

1 : x_refsource_CERT-VN (string)

]

url : http://www.kb.cert.org/vuls/id/662676 (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MUK2 (string)

}

4 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf (string)

}

]

tags : [ »

0 : disputed (string)

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2013-4732 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : ** DISPUTED ** The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding." (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : http://www.kb.cert.org/vuls/id/AAMN-98MU7H (string)

refsource : MISC (string)

url : http://www.kb.cert.org/vuls/id/AAMN-98MU7H (string)

}

1 : { »

name : http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf (string)

refsource : MISC (string)

url : http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf (string)

}

2 : { »

name : VU#662676 (string)

refsource : CERT-VN (string)

url : http://www.kb.cert.org/vuls/id/662676 (string)

}

3 : { »

name : http://www.kb.cert.org/vuls/id/AAMN-98MUK2 (string)

refsource : MISC (string)

url : http://www.kb.cert.org/vuls/id/AAMN-98MUK2 (string)

}

4 : { »

name : http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf (string)

refsource : MISC (string)

url : http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-06T16:52:27.001Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MU7H (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf (string)

}

2 : { »

name : VU#662676 (string)

tags : [ »

0 : third-party-advisory (string)

1 : x_refsource_CERT-VN (string)

2 : x_transferred (string)

]

url : http://www.kb.cert.org/vuls/id/662676 (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MUK2 (string)

}

4 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2013-4732 (string)

datePublished : 2013-06-29T21:00:00Z (string)

dateReserved : 2013-06-29T00:00:00Z (string)

dateUpdated : 2024-09-16T17:54:12.663Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:digital_alert_systems:dasdec_eas:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A6190CC-FD4E-4CF2-81CE-9E108EF4B7B4", "versionEndIncluding": "2.0-2", "vulnerable": true}, {"criteria": "cpe:2.3:h:digital_alert_systems:dasdec_eas:2.0-0:*:*:*:*:*:*:*", "matchCriteriaId": "308B32AD-1091-4528-964B-7394D54B1D4E", "vulnerable": true}, {"criteria": "cpe:2.3:h:digital_alert_systems:dasdec_eas:2.0-1:*:*:*:*:*:*:*", "matchCriteriaId": "0F56C2F8-B2EC-4A96-898A-EAD3D02B7A6C", "vulnerable": true}, {"criteria": "cpe:2.3:h:monroe_electronics:r189_one-net_eas:*:*:*:*:*:*:*:*", "matchCriteriaId": "03F1A7BA-78B3-4ED0-947D-2CADF4A981D9", "versionEndIncluding": "2.0-2", "vulnerable": true}, {"criteria": "cpe:2.3:h:monroe_electronics:r189_one-net_eas:2.0-0:*:*:*:*:*:*:*", "matchCriteriaId": "90C5BDD8-C91B-44EB-870E-FABEFCFA5F7B", "vulnerable": true}, {"criteria": "cpe:2.3:h:monroe_electronics:r189_one-net_eas:2.0-1:*:*:*:*:*:*:*", "matchCriteriaId": "72D48CEF-FD5C-4547-A1A6-7FBF509AA12A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network.  NOTE: VU#662676 states \"Monroe Electronics could not reproduce this finding."}, {"lang": "es", "value": "** EN DISPUTA ** El servidor Web de administraci\u00f3n del dispositivo Digital Alert Systems DASDEC EAS hasta v2.0-2 y el dispositivo Monroe Electronics R189 One-Net hasta v2.0-2 use un ID de sesi\u00f3n predecible, lo que permite a los atacantes remotos secuestrar la sesi\u00f3n de los usuarios mediante  EAS utiliza valores de ID de sesi\u00f3n predecibles, lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos secuestrar sesiones mediante la captura de datos de red (\"sniffing\"). NOTA: VU#662676 dice que. Monroe Electronics no puede reproducir este hallazgo\""}], "id": "CVE-2013-4732", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-06-30T19:28:10.173", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/662676"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/662676"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:h:digital_alert_systems:dasdec_eas:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 8A6190CC-FD4E-4CF2-81CE-9E108EF4B7B4 (string)

versionEndIncluding : 2.0-2 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:h:digital_alert_systems:dasdec_eas:2.0-0:*:*:*:*:*:*:* (string)

matchCriteriaId : 308B32AD-1091-4528-964B-7394D54B1D4E (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:h:digital_alert_systems:dasdec_eas:2.0-1:*:*:*:*:*:*:* (string)

matchCriteriaId : 0F56C2F8-B2EC-4A96-898A-EAD3D02B7A6C (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:h:monroe_electronics:r189_one-net_eas:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 03F1A7BA-78B3-4ED0-947D-2CADF4A981D9 (string)

versionEndIncluding : 2.0-2 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:h:monroe_electronics:r189_one-net_eas:2.0-0:*:*:*:*:*:*:* (string)

matchCriteriaId : 90C5BDD8-C91B-44EB-870E-FABEFCFA5F7B (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:h:monroe_electronics:r189_one-net_eas:2.0-1:*:*:*:*:*:*:* (string)

matchCriteriaId : 72D48CEF-FD5C-4547-A1A6-7FBF509AA12A (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ »

0 : { »

sourceIdentifier : cve@mitre.org (string)

tags : [ »

0 : disputed (string)

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding. (string)

}

1 : { »

lang : es (string)

value : ** EN DISPUTA ** El servidor Web de administración del dispositivo Digital Alert Systems DASDEC EAS hasta v2.0-2 y el dispositivo Monroe Electronics R189 One-Net hasta v2.0-2 use un ID de sesión predecible, lo que permite a los atacantes remotos secuestrar la sesión de los usuarios mediante EAS utiliza valores de ID de sesión predecibles, lo que hace que sea más fácil para los atacantes remotos secuestrar sesiones mediante la captura de datos de red ("sniffing"). NOTA: VU#662676 dice que. Monroe Electronics no puede reproducir este hallazgo" (string)

}

]

id : CVE-2013-4732 (string)

lastModified : 2025-04-11T00:51:21.963 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : HIGH (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : COMPLETE (string)

baseScore : 10 (number)

confidentialityImpact : COMPLETE (string)

integrityImpact : COMPLETE (string)

vectorString : AV:N/AC:L/Au:N/C:C/I:C/A:C (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 10 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

}

published : 2013-06-30T19:28:10.173 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/662676 (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MU7H (string)

}

3 : { »

source : cve@mitre.org (string)

tags : [ »

0 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MUK2 (string)

}

4 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf (string)

}

6 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/662676 (string)

}

7 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MU7H (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : US Government Resource (string)

]

url : http://www.kb.cert.org/vuls/id/AAMN-98MUK2 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-255 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object