CVE-2017-5634

MEDIUM

Norwegian-air Norwegian Air Kiosk - Exposure to Wrong Actor

Title source: rule

Description

The Norwegian Air Shuttle (aka norwegian.com) airline kiosk allows physically proximate attackers to bypass the intended "Please select booking identification" UI step, and obtain administrative privileges and network access on the underlying Windows OS, by accessing a touch-screen print icon to manipulate the print dialog.

References (4)

[Third Party Advisory] https://bugemot.com/bug/190

[Third Party Advisory] https://www.youtube.com/watch?v=2j9gP5Qu2WA

[Third Party Advisory] https://www.youtube.com/watch?v=WSQW0ipnXQg

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96230

Scores

CVSS v3 6.6

EPSS 0.0006

EPSS Percentile 18.7%

Attack Vector PHYSICAL

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-668

Status draft

Affected Products (1)

norwegian-air/norwegian_air_kiosk

Timeline

Published Feb 09, 2017

Tracked Since Feb 18, 2026