CVE-2019-10886

An incorrect access control exists in the Sony Photo Sharing Plus application in the firmware before PKG6.5629 version (for the X7500D TV and other applicable TVs). This vulnerability allows an attacker to read arbitrary files without authentication over HTTP when Photo Sharing Plus application is running. This may allow an attacker to browse a particular directory (e.g. images) inside the private network.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html	VDB Entry Third Party Advisory
http://seclists.org/fulldisclosure/2019/Apr/32	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/108072	Third Party Advisory VDB Entry
https://seclists.org/bugtraq/2019/Apr/34	Mailing List Exploit Third Party Advisory
https://www.sony.com/electronics/support/downloads/00016043	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:h:sony:kdl-50w800c:-:::::::*
	cpe:2.3:h:sony:kdl-50w805c:-:::::::*
	cpe:2.3:h:sony:kdl-50w807c:-:::::::*
	cpe:2.3:h:sony:kdl-50w809c:-:::::::*
	cpe:2.3:h:sony:kdl-50w820c:-:::::::*
	cpe:2.3:h:sony:kdl-55w800c:-:::::::*
	cpe:2.3:h:sony:kdl-55w805c:-:::::::*
	cpe:2.3:h:sony:kdl-65w850c:-:::::::*
	cpe:2.3:h:sony:kdl-65w855c:-:::::::*
	cpe:2.3:h:sony:kdl-65w857c:-:::::::*
	cpe:2.3:h:sony:kdl-75w850c:-:::::::*
	cpe:2.3:h:sony:kdl-75w855c:-:::::::*
	cpe:2.3:h:sony:x7500d:-:::::::*
	cpe:2.3:h:sony:xbr-100z9d:-:::::::*
	cpe:2.3:h:sony:xbr-43x800d:-:::::::*
	cpe:2.3:h:sony:xbr-43x800e:-:::::::*
	cpe:2.3:h:sony:xbr-43x830c:-:::::::*
	cpe:2.3:h:sony:xbr-49x700d:-:::::::*
	cpe:2.3:h:sony:xbr-49x800c:-:::::::*
	cpe:2.3:h:sony:xbr-49x800d:-:::::::*
	cpe:2.3:h:sony:xbr-49x800e:-:::::::*
	cpe:2.3:h:sony:xbr-49x830c:-:::::::*
	cpe:2.3:h:sony:xbr-49x835c:-:::::::*
	cpe:2.3:h:sony:xbr-49x835d:-:::::::*
	cpe:2.3:h:sony:xbr-49x837c:-:::::::*
	cpe:2.3:h:sony:xbr-49x839c:-:::::::*
	cpe:2.3:h:sony:xbr-49x900e:-:::::::*
	cpe:2.3:h:sony:xbr-55a1e:-:::::::*
	cpe:2.3:h:sony:xbr-55x700d:-:::::::*
	cpe:2.3:h:sony:xbr-55x800e:-:::::::*
	cpe:2.3:h:sony:xbr-55x805c:-:::::::*
	cpe:2.3:h:sony:xbr-55x806e:-:::::::*
	cpe:2.3:h:sony:xbr-55x807c:-:::::::*
	cpe:2.3:h:sony:xbr-55x809c:-:::::::*
	cpe:2.3:h:sony:xbr-55x810c:-:::::::*
	cpe:2.3:h:sony:xbr-55x850c:-:::::::*
	cpe:2.3:h:sony:xbr-55x850d:-:::::::*
	cpe:2.3:h:sony:xbr-55x855c:-:::::::*
	cpe:2.3:h:sony:xbr-55x855d:-:::::::*
	cpe:2.3:h:sony:xbr-55x857c:-:::::::*
	cpe:2.3:h:sony:xbr-55x857d:-:::::::*
	cpe:2.3:h:sony:xbr-55x900c:-:::::::*
	cpe:2.3:h:sony:xbr-55x900e:-:::::::*
	cpe:2.3:h:sony:xbr-55x905c:-:::::::*
	cpe:2.3:h:sony:xbr-55x907c:-:::::::*
	cpe:2.3:h:sony:xbr-55x930d:-:::::::*
	cpe:2.3:h:sony:xbr-55x930e:-:::::::*
	cpe:2.3:h:sony:xbr-65a1e:-:::::::*
	cpe:2.3:h:sony:xbr-65x750d:-:::::::*
	cpe:2.3:h:sony:xbr-65x800c:-:::::::*
	cpe:2.3:h:sony:xbr-65x805c:-:::::::*
	cpe:2.3:h:sony:xbr-65x807c:-:::::::*
	cpe:2.3:h:sony:xbr-65x809c:-:::::::*
	cpe:2.3:h:sony:xbr-65x810c:-:::::::*
	cpe:2.3:h:sony:xbr-65x850c:-:::::::*
	cpe:2.3:h:sony:xbr-65x850d:-:::::::*
	cpe:2.3:h:sony:xbr-65x850e:-:::::::*
	cpe:2.3:h:sony:xbr-65x855c:-:::::::*
	cpe:2.3:h:sony:xbr-65x855d:-:::::::*
	cpe:2.3:h:sony:xbr-65x857c:-:::::::*
	cpe:2.3:h:sony:xbr-65x857d:-:::::::*
	cpe:2.3:h:sony:xbr-65x900c:-:::::::*
	cpe:2.3:h:sony:xbr-65x900e:-:::::::*
	cpe:2.3:h:sony:xbr-65x905c:-:::::::*
cpe:2.3:h:sony:xbr-65x907c:-:::::::*
cpe:2.3:h:sony:xbr-65x930c:-:::::::*
cpe:2.3:h:sony:xbr-65x930d:-:::::::*
cpe:2.3:h:sony:xbr-65x930e:-:::::::*
cpe:2.3:h:sony:xbr-65x935d:-:::::::*
cpe:2.3:h:sony:xbr-65x937d:-:::::::*
cpe:2.3:h:sony:xbr-65z9d:-:::::::*
cpe:2.3:h:sony:xbr-75x850c:-:::::::*
cpe:2.3:h:sony:xbr-75x850d:-:::::::*
cpe:2.3:h:sony:xbr-75x850e:-:::::::*
cpe:2.3:h:sony:xbr-75x855c:-:::::::*
cpe:2.3:h:sony:xbr-75x855d:-:::::::*
cpe:2.3:h:sony:xbr-75x857d:-:::::::*
cpe:2.3:h:sony:xbr-75x900e:-:::::::*
cpe:2.3:h:sony:xbr-75x910c:-:::::::*
cpe:2.3:h:sony:xbr-75x940c:-:::::::*
cpe:2.3:h:sony:xbr-75x940d:-:::::::*
cpe:2.3:h:sony:xbr-75x940e:-:::::::*
cpe:2.3:h:sony:xbr-75x945c:-:::::::*
cpe:2.3:h:sony:xbr-75z9d:-:::::::*
cpe:2.3:h:sony:xbr-77a1e:-:::::::*
cpe:2.3:h:sony:xbr-85x850d:-:::::::*
cpe:2.3:h:sony:xbr-85x855d:-:::::::*
cpe:2.3:h:sony:xbr-85x857d:-:::::::*

cpe:2.3:a:sony:photo_sharing_plus:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-04-19 18:29

Updated : 2020-08-24 17:37

NVD link : CVE-2019-10886

Mitre link : CVE-2019-10886

CVE.ORG link : CVE-2019-10886

JSON object : View

Products Affected

sony

xbr-55x810c
xbr-75x900e
xbr-65x805c
xbr-75x850e
kdl-50w809c
xbr-55x806e
kdl-75w850c
xbr-100z9d
xbr-55x855c
kdl-50w807c
xbr-49x835c
xbr-55x857d
xbr-43x800d
xbr-65x900e
xbr-55x930d
xbr-65x930d
xbr-65x937d
xbr-65x850d
xbr-65x809c
xbr-65x907c
kdl-65w855c
xbr-75x940d
xbr-55x700d
xbr-49x837c
xbr-55x809c
xbr-65x750d
kdl-75w855c
photo_sharing_plus
xbr-75x850c
xbr-55x900e
kdl-65w850c
xbr-55x857c
xbr-49x839c
xbr-65x850e
x7500d
xbr-55x905c
xbr-75x910c
xbr-65x857d
xbr-85x850d
xbr-43x800e
kdl-55w805c
xbr-55x850d
xbr-65x935d
xbr-75x857d
xbr-49x800d
xbr-65z9d
xbr-55x807c
xbr-49x800c
xbr-55x855d
xbr-65x930c
xbr-49x700d
xbr-49x800e
xbr-55x805c
xbr-75x940e
xbr-65x850c
xbr-65x905c
xbr-55x930e
xbr-55x907c
xbr-65x810c
xbr-55x850c
kdl-55w800c
kdl-50w805c
kdl-50w820c
xbr-77a1e
xbr-65x900c
xbr-75x855c
xbr-49x830c
xbr-43x830c
xbr-55x800e
xbr-55x900c
xbr-85x855d
xbr-65x855c
xbr-85x857d
xbr-75x940c
xbr-65x807c
xbr-65x857c
xbr-49x835d
xbr-75x945c
xbr-49x900e
xbr-55a1e
xbr-65x855d
xbr-65x930e
xbr-65a1e
kdl-65w857c
kdl-50w800c
xbr-65x800c
xbr-75x850d
xbr-75z9d
xbr-75x855d

CWE

CWE-306

Missing Authentication for Critical Function

5.9 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-10886

5.9^/10

4.3^/10

Attach tags to `CVE-2019-10886`