Phasefale Controls JouleTemp Three Vulnerabilities

Vendor: Phasefale Controls Pty. Ltd.
Product: JouleTemp

According to the documentation, by default the web interface has a default admin password:

“Programming links to settings page ( username [admin] and password [pass] are required.)”

Without authenticating, the splash page will also reveal the internal IP address of the device.


Finally, the /set/comment.html page contains a stored XSS (CVE-2013-78009). You get to this page by clicking “Add HACCP Note” and then insert a standard XSS string in the “Comment” field (newhaccpcomment parameter). It doesn’t seem to scrub any user input.

POST /set/comment.html HTTP/1.1

Discovered: 2013-02-13
Reported to ICS-CERT: 2013-04-10
ICS-CERT passed to CERT/CC: 2013-04-19
CERT/CC assigns VU#647752: 2013-04-25
CERT/CC says issues too low risk to coordinate disclosure: 2013-05-06


Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: