Description
Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force to identify the database backup file name. A malicious actor can exploit this issue to download the database file and disclose login information, which can allow the attacker to bypass authentication and have full access to the system.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://applied-risk.com/labs/advisories
Third Party Advisory x_refsource_misc
https://www.applied-risk.com/resources/ar-2019-007
Third Party Advisory, US Government Resource x_refsource_misc
https://www.us-cert.gov/ics/advisories/icsa-19-211-02
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/155262/Prima-FlexAir-Access-Control-2.3.35-Database-Backup-Predictable-Name.html
Scores
CVSS v3
9.8
EPSS
0.0450
EPSS Percentile
90.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-330
Status
published
Products (1)
primasystems/flexair
< 2.3.38
Published
Jul 01, 2019
Tracked Since
Feb 18, 2026