CVE-2019-12167 in Liebert Challenger
Summary
by MITRE
httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/23/2023
The vulnerability identified as CVE-2019-12167 affects Emerson Network Power Liebert Challenger 5.1E0.5 devices and represents a cross-site scripting flaw within the httpGetSet/httpGet.htm web interface component. This issue specifically manifests when the statusstr parameter is manipulated by an attacker, allowing malicious script execution in the context of the affected device's web interface. The vulnerability resides in the device's web server implementation which fails to properly sanitize user input before incorporating it into dynamic web content. The affected parameter statusstr is processed without adequate validation or encoding mechanisms, creating an opportunity for attackers to inject malicious JavaScript code that executes in the browser of any user who views the affected web page.
This cross-site scripting vulnerability falls under the CWE-79 category of Cross-Site Scripting and can be categorized under the ATT&CK technique T1212 - Exploitation for Credential Access. The flaw enables attackers to execute arbitrary JavaScript code within the victim's browser session, potentially leading to session hijacking, credential theft, or further exploitation of the device. The vulnerability is particularly concerning because it affects network management interfaces that are often accessed by system administrators and other privileged users who may have elevated privileges within the network infrastructure. The web interface serves as a primary point of access for device configuration and monitoring, making it a valuable target for attackers seeking to establish persistent access or escalate privileges within the network environment.
The operational impact of this vulnerability extends beyond simple script execution as it can be leveraged for more sophisticated attacks including session fixation, data exfiltration, and potential lateral movement within the network. An attacker who successfully exploits this vulnerability could gain access to sensitive operational data, manipulate device settings, or use the compromised interface as a foothold for attacking other connected systems. The vulnerability affects the availability and integrity of the device's web-based management interface, potentially disrupting normal operations while providing attackers with covert access channels. Organizations using Emerson Network Power Liebert Challenger devices in critical infrastructure environments face significant risk as this vulnerability could be exploited to compromise power distribution systems, potentially leading to service outages or security breaches in data centers and industrial control environments.
Mitigation strategies for CVE-2019-12167 should include immediate firmware updates from Emerson Network Power to address the XSS vulnerability in the web interface components. Network administrators should implement proper input validation and output encoding measures to prevent malicious script injection, particularly for parameters like statusstr that are used in dynamic web content generation. Additional protective measures include network segmentation to limit access to the device's web interface, implementing web application firewalls to detect and block malicious payloads, and conducting regular security assessments of industrial control systems. The vulnerability highlights the importance of secure coding practices in embedded web interfaces and underscores the need for proper input sanitization and output encoding mechanisms. Organizations should also consider implementing network monitoring solutions to detect anomalous traffic patterns that may indicate exploitation attempts, while maintaining comprehensive audit trails of device access and configuration changes to support incident response activities.