Vulnerability Details CVE-2019-11536
Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed, allows an attacker to inject client-side commands or scripts to be executed on the device with privileged access, aka CYB/2019/19561. The attack requires network connectivity to the device and exploits the webserver interface, typically through a browser.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
References
Products affected by CVE-2019-11536
-
cpe:2.3:h:kalkitech:sync3000:-
-
cpe:2.3:o:kalkitech:sync3000_firmware:2.22.6
-
cpe:2.3:o:kalkitech:sync3000_firmware:2.23.0
-
cpe:2.3:o:kalkitech:sync3000_firmware:2.24.0
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.0.0
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.1.0
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.1.16
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.2.3
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.2.6
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.5.0
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.6.0
-
cpe:2.3:o:kalkitech:sync3000_firmware:3.6.1