CVE-2019-7590: exacqVision Server Unquoted Service Path
First published: Fri Jul 19 2019(Updated: )
ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Credit: productsecurity@jci.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johnsoncontrols Exacqvision Server | =9.6 | |
| Johnsoncontrols Exacqvision Server | =9.8 |
Remedy
Upgrade to exacqVision Server 19.03
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/109307
- https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
- https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.us-cert.gov/ics/advisories/icsa-19-199-01
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php
Frequently Asked Questions
What is the severity of CVE-2019-7590?
The severity of CVE-2019-7590 is high with a score of 7.8.
How does CVE-2019-7590 affect ExacqVision Server?
CVE-2019-7590 affects ExacqVision Server versions 9.6 and 9.8.
What is the vulnerability in CVE-2019-7590?
The vulnerability in CVE-2019-7590 is an unquoted service path in ExacqVision Server's services 'exacqVisionServer', 'dvrdhcpserver', and 'mdnsresponder'.
How can an authenticated user exploit CVE-2019-7590?
If an authenticated user is able to insert code in their system root path, it potentially can be executed during the application startup, allowing them to escalate privileges.
Are there any references for CVE-2019-7590?
Yes, you can find more information about CVE-2019-7590 at the following references: [SecurityFocus](http://www.securityfocus.com/bid/109307), [Microsoft TechNet](https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341), and [Packet Storm Security](https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/remedy
- agent/title
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/johnsoncontrols
- canonical/johnsoncontrols exacqvision server
- version/johnsoncontrols exacqvision server/9.6
- version/johnsoncontrols exacqvision server/9.8