CVE-2019-10886 - Vulnerability Details

An incorrect access control exists in the Sony Photo Sharing Plus application in the firmware before PKG6.5629 version (for the X7500D TV and other applicable TVs). This vulnerability allows an attacker to read arbitrary files without authentication over HTTP when Photo Sharing Plus application is running. This may allow an attacker to browse a particular directory (e.g. images) inside the private network.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00754.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:a:sony:photo_sharing_plus:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:sony:kdl-50w800c:-:::::::*
	cpe:2.3:h:sony:kdl-50w805c:-:::::::*
	cpe:2.3:h:sony:kdl-50w807c:-:::::::*
	cpe:2.3:h:sony:kdl-50w809c:-:::::::*
	cpe:2.3:h:sony:kdl-50w820c:-:::::::*
	cpe:2.3:h:sony:kdl-55w800c:-:::::::*
	cpe:2.3:h:sony:kdl-55w805c:-:::::::*
	cpe:2.3:h:sony:kdl-65w850c:-:::::::*
	cpe:2.3:h:sony:kdl-65w855c:-:::::::*
	cpe:2.3:h:sony:kdl-65w857c:-:::::::*
	cpe:2.3:h:sony:kdl-75w850c:-:::::::*
	cpe:2.3:h:sony:kdl-75w855c:-:::::::*
	cpe:2.3:h:sony:x7500d:-:::::::*
	cpe:2.3:h:sony:xbr-100z9d:-:::::::*
	cpe:2.3:h:sony:xbr-43x800d:-:::::::*
	cpe:2.3:h:sony:xbr-43x800e:-:::::::*
	cpe:2.3:h:sony:xbr-43x830c:-:::::::*
	cpe:2.3:h:sony:xbr-49x700d:-:::::::*
	cpe:2.3:h:sony:xbr-49x800c:-:::::::*
	cpe:2.3:h:sony:xbr-49x800d:-:::::::*
	cpe:2.3:h:sony:xbr-49x800e:-:::::::*
	cpe:2.3:h:sony:xbr-49x830c:-:::::::*
	cpe:2.3:h:sony:xbr-49x835c:-:::::::*
	cpe:2.3:h:sony:xbr-49x835d:-:::::::*
	cpe:2.3:h:sony:xbr-49x837c:-:::::::*
	cpe:2.3:h:sony:xbr-49x839c:-:::::::*
	cpe:2.3:h:sony:xbr-49x900e:-:::::::*
	cpe:2.3:h:sony:xbr-55a1e:-:::::::*
	cpe:2.3:h:sony:xbr-55x700d:-:::::::*
	cpe:2.3:h:sony:xbr-55x800e:-:::::::*
	cpe:2.3:h:sony:xbr-55x805c:-:::::::*
	cpe:2.3:h:sony:xbr-55x806e:-:::::::*
	cpe:2.3:h:sony:xbr-55x807c:-:::::::*
	cpe:2.3:h:sony:xbr-55x809c:-:::::::*
	cpe:2.3:h:sony:xbr-55x810c:-:::::::*
	cpe:2.3:h:sony:xbr-55x850c:-:::::::*
	cpe:2.3:h:sony:xbr-55x850d:-:::::::*
	cpe:2.3:h:sony:xbr-55x855c:-:::::::*
	cpe:2.3:h:sony:xbr-55x855d:-:::::::*
	cpe:2.3:h:sony:xbr-55x857c:-:::::::*
	cpe:2.3:h:sony:xbr-55x857d:-:::::::*
	cpe:2.3:h:sony:xbr-55x900c:-:::::::*
	cpe:2.3:h:sony:xbr-55x900e:-:::::::*
	cpe:2.3:h:sony:xbr-55x905c:-:::::::*
	cpe:2.3:h:sony:xbr-55x907c:-:::::::*
	cpe:2.3:h:sony:xbr-55x930d:-:::::::*
	cpe:2.3:h:sony:xbr-55x930e:-:::::::*
	cpe:2.3:h:sony:xbr-65a1e:-:::::::*
	cpe:2.3:h:sony:xbr-65x750d:-:::::::*
	cpe:2.3:h:sony:xbr-65x800c:-:::::::*
	cpe:2.3:h:sony:xbr-65x805c:-:::::::*
	cpe:2.3:h:sony:xbr-65x807c:-:::::::*
	cpe:2.3:h:sony:xbr-65x809c:-:::::::*
	cpe:2.3:h:sony:xbr-65x810c:-:::::::*
	cpe:2.3:h:sony:xbr-65x850c:-:::::::*
	cpe:2.3:h:sony:xbr-65x850d:-:::::::*
	cpe:2.3:h:sony:xbr-65x850e:-:::::::*
	cpe:2.3:h:sony:xbr-65x855c:-:::::::*
	cpe:2.3:h:sony:xbr-65x855d:-:::::::*
	cpe:2.3:h:sony:xbr-65x857c:-:::::::*
	cpe:2.3:h:sony:xbr-65x857d:-:::::::*
	cpe:2.3:h:sony:xbr-65x900c:-:::::::*
	cpe:2.3:h:sony:xbr-65x900e:-:::::::*
	cpe:2.3:h:sony:xbr-65x905c:-:::::::*
cpe:2.3:h:sony:xbr-65x907c:-:::::::*
cpe:2.3:h:sony:xbr-65x930c:-:::::::*
cpe:2.3:h:sony:xbr-65x930d:-:::::::*
cpe:2.3:h:sony:xbr-65x930e:-:::::::*
cpe:2.3:h:sony:xbr-65x935d:-:::::::*
cpe:2.3:h:sony:xbr-65x937d:-:::::::*
cpe:2.3:h:sony:xbr-65z9d:-:::::::*
cpe:2.3:h:sony:xbr-75x850c:-:::::::*
cpe:2.3:h:sony:xbr-75x850d:-:::::::*
cpe:2.3:h:sony:xbr-75x850e:-:::::::*
cpe:2.3:h:sony:xbr-75x855c:-:::::::*
cpe:2.3:h:sony:xbr-75x855d:-:::::::*
cpe:2.3:h:sony:xbr-75x857d:-:::::::*
cpe:2.3:h:sony:xbr-75x900e:-:::::::*
cpe:2.3:h:sony:xbr-75x910c:-:::::::*
cpe:2.3:h:sony:xbr-75x940c:-:::::::*
cpe:2.3:h:sony:xbr-75x940d:-:::::::*
cpe:2.3:h:sony:xbr-75x940e:-:::::::*
cpe:2.3:h:sony:xbr-75x945c:-:::::::*
cpe:2.3:h:sony:xbr-75z9d:-:::::::*
cpe:2.3:h:sony:xbr-77a1e:-:::::::*
cpe:2.3:h:sony:xbr-85x850d:-:::::::*
cpe:2.3:h:sony:xbr-85x855d:-:::::::*
cpe:2.3:h:sony:xbr-85x857d:-:::::::*

No data.

Project Subscriptions

Vendors	Products
Sony Subscribe	Kdl-50w800c Subscribe Kdl-50w805c Subscribe Kdl-50w807c Subscribe Kdl-50w809c Subscribe Kdl-50w820c Subscribe Kdl-55w800c Subscribe Kdl-55w805c Subscribe Kdl-65w850c Subscribe Kdl-65w855c Subscribe Kdl-65w857c Subscribe Kdl-75w850c Subscribe Kdl-75w855c Subscribe Photo Sharing Plus Subscribe X7500d Subscribe Xbr-100z9d Subscribe Xbr-43x800d Subscribe Xbr-43x800e Subscribe Xbr-43x830c Subscribe Xbr-49x700d Subscribe Xbr-49x800c Subscribe Xbr-49x800d Subscribe Xbr-49x800e Subscribe Xbr-49x830c Subscribe Xbr-49x835c Subscribe Xbr-49x835d Subscribe Xbr-49x837c Subscribe Xbr-49x839c Subscribe Xbr-49x900e Subscribe Xbr-55a1e Subscribe Xbr-55x700d Subscribe Xbr-55x800e Subscribe Xbr-55x805c Subscribe Xbr-55x806e Subscribe Xbr-55x807c Subscribe Xbr-55x809c Subscribe Xbr-55x810c Subscribe Xbr-55x850c Subscribe Xbr-55x850d Subscribe Xbr-55x855c Subscribe Xbr-55x855d Subscribe Xbr-55x857c Subscribe Xbr-55x857d Subscribe Xbr-55x900c Subscribe Xbr-55x900e Subscribe Xbr-55x905c Subscribe Xbr-55x907c Subscribe Xbr-55x930d Subscribe Xbr-55x930e Subscribe Xbr-65a1e Subscribe Xbr-65x750d Subscribe Xbr-65x800c Subscribe Xbr-65x805c Subscribe Xbr-65x807c Subscribe Xbr-65x809c Subscribe Xbr-65x810c Subscribe Xbr-65x850c Subscribe Xbr-65x850d Subscribe Xbr-65x850e Subscribe Xbr-65x855c Subscribe Xbr-65x855d Subscribe Xbr-65x857c Subscribe Xbr-65x857d Subscribe Xbr-65x900c Subscribe Xbr-65x900e Subscribe Xbr-65x905c Subscribe Xbr-65x907c Subscribe Xbr-65x930c Subscribe Xbr-65x930d Subscribe Xbr-65x930e Subscribe Xbr-65x935d Subscribe Xbr-65x937d Subscribe Xbr-65z9d Subscribe Xbr-75x850c Subscribe Xbr-75x850d Subscribe Xbr-75x850e Subscribe Xbr-75x855c Subscribe Xbr-75x855d Subscribe Xbr-75x857d Subscribe Xbr-75x900e Subscribe Xbr-75x910c Subscribe Xbr-75x940c Subscribe Xbr-75x940d Subscribe Xbr-75x940e Subscribe Xbr-75x945c Subscribe Xbr-75z9d Subscribe Xbr-77a1e Subscribe Xbr-85x850d Subscribe Xbr-85x855d Subscribe Xbr-85x857d Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2019-2608	An incorrect access control exists in the Sony Photo Sharing Plus application in the firmware before PKG6.5629 version (for the X7500D TV and other applicable TVs). This vulnerability allows an attacker to read arbitrary files without authentication over HTTP when Photo Sharing Plus application is running. This may allow an attacker to browse a particular directory (e.g. images) inside the private network.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html
http://seclists.org/fulldisclosure/2019/Apr/32
http://www.securityfocus.com/bid/108072
https://seclists.org/bugtraq/2019/Apr/34
https://www.sony.com/electronics/support/downloads/00016043

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-19T17:51:49.000Z

Updated: 2024-08-04T22:40:14.926Z

Reserved: 2019-04-05T00:00:00.000Z

Link: CVE-2019-10886

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-19T18:29:00.747

Modified: 2024-11-21T04:20:03.150

Link: CVE-2019-10886

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-306

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object