Crestron Electronics Information for VU#974424
Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities
- Vendor Information Help Date Notified: 25 Apr 2016
- Statement Date: 26 Jul 2016
- Date Updated: 28 Jul 2016
The following were fully resolved in 1.3.39.00040
- CWE-603: Use of Client-Side Authentication - CVE-2016-5666
- CWE-425: Direct Request ('Forced Browsing') - CVE-2016-5667
- CWE-306: Missing Authentication for Critical Function - CVE-2016-5668 -
- CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5669 -
CWE-255: Credentials Management - CVE-2016-5670 - was partially addressed in 1.3.39.00040. Users now have the ability to modify the password on the device page of the web interface. Other credentials management enhancements will be implemented in a future firmware release. It is recommended to change the default password on the device page when commissioning the device.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-5671 - will be addressed in a future release.
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.