cvelistv5 - cve-2020-7520

CVE-2020-7520 (GCVE-0-2020-7520)

Vulnerability from cvelistv5 – Published: 2020-07-23 20:46 – Updated: 2024-08-04 09:33

Summary

A CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim's machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker's possession. A man-in-the-middle attack is then used to complete the exploit.

Severity ?

No CVSS data available.

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

schneider

References

URL

Tags

https://www.se.com/ww/en/download/document/SEVD-2…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Schneider Electric Software Update (SESU) V2.4.0 and prior.	Affected: Schneider Electric Software Update (SESU) V2.4.0 and prior.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:19.592Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Schneider Electric Software Update (SESU) V2.4.0 and prior.",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Schneider Electric Software Update (SESU) V2.4.0 and prior."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-23T20:46:33",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2020-7520",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Schneider Electric Software Update (SESU) V2.4.0 and prior.",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Schneider Electric Software Update (SESU) V2.4.0 and prior."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/",
              "refsource": "MISC",
              "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2020-7520",
    "datePublished": "2020-07-23T20:46:33",
    "dateReserved": "2020-01-21T00:00:00",
    "dateUpdated": "2024-08-04T09:33:19.592Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:schneider-electric:software_update_utility:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.4.0\", \"matchCriteriaId\": \"FED78F42-0A1F-4EB4-A45C-CD781E350508\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit.\"}, {\"lang\": \"es\", \"value\": \"CWE-601: Se presenta una vulnerabilidad de Redireccionamiento de URL a un Sitio no Confiable (\\\"Open Redirect\\\") en Schneider Electric Software Update (SESU), versiones V2.4.0 y anteriores, lo que podr\\u00eda causar una ejecuci\\u00f3n de c\\u00f3digo malicioso en la m\\u00e1quina de la v\\u00edctima. A fin de explotar esta vulnerabilidad, un atacante requiere acceso privilegiado sobre la estaci\\u00f3n de trabajo de ingenier\\u00eda para modificar una clave de registro de Windows que desviar\\u00eda todas las actualizaciones de tr\\u00e1fico para pasar a trav\\u00e9s de un servidor en posesi\\u00f3n del atacante. Un ataque man-in-the-middle es usado para completar la explotaci\\u00f3n\"}]",
      "id": "CVE-2020-7520",
      "lastModified": "2024-11-21T05:37:18.200",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:H/Au:N/C:P/I:P/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"HIGH\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 4.9, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-07-23T21:15:12.550",
      "references": "[{\"url\": \"https://www.se.com/ww/en/download/document/SEVD-2020-196-01/\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.se.com/ww/en/download/document/SEVD-2020-196-01/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "cybersecurity@se.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@se.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-7520\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2020-07-23T21:15:12.550\",\"lastModified\":\"2024-11-21T05:37:18.200\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit.\"},{\"lang\":\"es\",\"value\":\"CWE-601: Se presenta una vulnerabilidad de Redireccionamiento de URL a un Sitio no Confiable (\\\"Open Redirect\\\") en Schneider Electric Software Update (SESU), versiones V2.4.0 y anteriores, lo que podr\u00eda causar una ejecuci\u00f3n de c\u00f3digo malicioso en la m\u00e1quina de la v\u00edctima. A fin de explotar esta vulnerabilidad, un atacante requiere acceso privilegiado sobre la estaci\u00f3n de trabajo de ingenier\u00eda para modificar una clave de registro de Windows que desviar\u00eda todas las actualizaciones de tr\u00e1fico para pasar a trav\u00e9s de un servidor en posesi\u00f3n del atacante. Un ataque man-in-the-middle es usado para completar la explotaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:software_update_utility:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4.0\",\"matchCriteriaId\":\"FED78F42-0A1F-4EB4-A45C-CD781E350508\"}]}]}],\"references\":[{\"url\":\"https://www.se.com/ww/en/download/document/SEVD-2020-196-01/\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.se.com/ww/en/download/document/SEVD-2020-196-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

GSD-2020-7520

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-7520

Aliases

CVE-2020-7520

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-7520",
    "description": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit.",
    "id": "GSD-2020-7520"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-7520"
      ],
      "details": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit.",
      "id": "GSD-2020-7520",
      "modified": "2023-12-13T01:21:51.806577Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@schneider-electric.com",
        "ID": "CVE-2020-7520",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Schneider Electric Software Update (SESU) V2.4.0 and prior.",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Schneider Electric Software Update (SESU) V2.4.0 and prior."
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/",
            "refsource": "MISC",
            "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:schneider-electric:software_update_utility:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2020-7520"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-601"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2020-07-28T18:20Z",
      "publishedDate": "2020-07-23T21:15Z"
    }
  }
}

GHSA-392J-2P2C-C7M3

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-7520"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-23T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit.",
  "id": "GHSA-392j-2p2c-c7m3",
  "modified": "2022-05-24T17:24:17Z",
  "published": "2022-05-24T17:24:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7520"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CERTFR-2020-AVI-446

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Schneider Electric Software Update (SESU) versions antérieures à V2.5.0
Schneider Electric Floating License Manager versions antérieures à V2.5.0.0

SESU est notamment utilisé dans :

EcoStruxure Augmented Operator Advisor
EcoStruxure Control Expert (anciennement Unity Pro)
EcoStruxure Hybrid Distributed Control System (DCS)
EcoStruxure Machine Expert (anciennement SoMachine)
EcoStruxure Machine Expert Basic
EcoStruxure Operator Terminal Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration Software
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
SoMachine Motion
SoMove
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
Zelio Soft 2

Schneider Electric Floating License Manager est utilisé dans :

EcoStruxure Control Expert (avec licence flottante)
EcoStruxure Control Expert - Asset Link (avec licence flottante)
EcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)
EcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)
EcoStruxure Machine Expert – Safety (avec licence flottante)
Facility Expert Online
EcoStruxure Power Monitoring Expert
EcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)
SoMachine Motion (avec licence flottante)

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2020-196-02 du 10 juillet 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-196-01 du 10 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eSchneider Electric Software Update (SESU) versions ant\u00e9rieures \u00e0 V2.5.0\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager versions ant\u00e9rieures \u00e0 V2.5.0.0\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u0026nbsp;\u003c/p\u003e \u003cp\u003eSESU est notamment utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Augmented Operator Advisor\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert (anciennement Unity Pro)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert Basic\u003c/li\u003e \u003cli\u003eEcoStruxure Operator Terminal Expert\u003c/li\u003e \u003cli\u003eEurotherm Data Reviewer\u003c/li\u003e \u003cli\u003eEurotherm iTools\u003c/li\u003e \u003cli\u003eeXLhoist Configuration Software\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager\u003c/li\u003e \u003cli\u003eSchneider Electric License Manager\u003c/li\u003e \u003cli\u003eHarmony XB5SSoft\u003c/li\u003e \u003cli\u003eSoMachine Motion\u003c/li\u003e \u003cli\u003eSoMove\u003c/li\u003e \u003cli\u003eVersatile Software BLUE\u003c/li\u003e \u003cli\u003eVijeo Designer\u003c/li\u003e \u003cli\u003eOsiSense XX Configuration Software\u003c/li\u003e \u003cli\u003eZelio Soft 2\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSchneider Electric Floating License Manager est utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Control Expert (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert - Asset Link (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert \u2013 Safety (avec licence flottante)\u003c/li\u003e \u003cli\u003eFacility Expert Online\u003c/li\u003e \u003cli\u003eEcoStruxure Power Monitoring Expert\u003c/li\u003e \u003cli\u003eEcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)\u003c/li\u003e \u003cli\u003eSoMachine Motion (avec licence flottante)\u003c/li\u003e \u003c/ul\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-8960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8960"
    },
    {
      "name": "CVE-2019-8961",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8961"
    },
    {
      "name": "CVE-2020-7520",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7520"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-446",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-17T00:00:00.000000"
    },
    {
      "description": "Correction de l\u0027ann\u00e9e des cves CVE-2019-8960 et CVE-2019-8961",
      "revision_date": "2020-07-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-02 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-02/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-01 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
    }
  ]
}

CERTFR-2020-AVI-446

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Schneider Electric Software Update (SESU) versions antérieures à V2.5.0
Schneider Electric Floating License Manager versions antérieures à V2.5.0.0

SESU est notamment utilisé dans :

EcoStruxure Augmented Operator Advisor
EcoStruxure Control Expert (anciennement Unity Pro)
EcoStruxure Hybrid Distributed Control System (DCS)
EcoStruxure Machine Expert (anciennement SoMachine)
EcoStruxure Machine Expert Basic
EcoStruxure Operator Terminal Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration Software
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
SoMachine Motion
SoMove
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
Zelio Soft 2

Schneider Electric Floating License Manager est utilisé dans :

EcoStruxure Control Expert (avec licence flottante)
EcoStruxure Control Expert - Asset Link (avec licence flottante)
EcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)
EcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)
EcoStruxure Machine Expert – Safety (avec licence flottante)
Facility Expert Online
EcoStruxure Power Monitoring Expert
EcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)
SoMachine Motion (avec licence flottante)

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2020-196-02 du 10 juillet 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-196-01 du 10 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eSchneider Electric Software Update (SESU) versions ant\u00e9rieures \u00e0 V2.5.0\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager versions ant\u00e9rieures \u00e0 V2.5.0.0\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u0026nbsp;\u003c/p\u003e \u003cp\u003eSESU est notamment utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Augmented Operator Advisor\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert (anciennement Unity Pro)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert Basic\u003c/li\u003e \u003cli\u003eEcoStruxure Operator Terminal Expert\u003c/li\u003e \u003cli\u003eEurotherm Data Reviewer\u003c/li\u003e \u003cli\u003eEurotherm iTools\u003c/li\u003e \u003cli\u003eeXLhoist Configuration Software\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager\u003c/li\u003e \u003cli\u003eSchneider Electric License Manager\u003c/li\u003e \u003cli\u003eHarmony XB5SSoft\u003c/li\u003e \u003cli\u003eSoMachine Motion\u003c/li\u003e \u003cli\u003eSoMove\u003c/li\u003e \u003cli\u003eVersatile Software BLUE\u003c/li\u003e \u003cli\u003eVijeo Designer\u003c/li\u003e \u003cli\u003eOsiSense XX Configuration Software\u003c/li\u003e \u003cli\u003eZelio Soft 2\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSchneider Electric Floating License Manager est utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Control Expert (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert - Asset Link (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert \u2013 Safety (avec licence flottante)\u003c/li\u003e \u003cli\u003eFacility Expert Online\u003c/li\u003e \u003cli\u003eEcoStruxure Power Monitoring Expert\u003c/li\u003e \u003cli\u003eEcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)\u003c/li\u003e \u003cli\u003eSoMachine Motion (avec licence flottante)\u003c/li\u003e \u003c/ul\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-8960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8960"
    },
    {
      "name": "CVE-2019-8961",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8961"
    },
    {
      "name": "CVE-2020-7520",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7520"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-446",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-17T00:00:00.000000"
    },
    {
      "description": "Correction de l\u0027ann\u00e9e des cves CVE-2019-8960 et CVE-2019-8961",
      "revision_date": "2020-07-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-02 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-02/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-01 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
    }
  ]
}

FKIE_CVE-2020-7520

Vulnerability from fkie_nvd - Published: 2020-07-23 21:15 - Updated: 2024-11-21 05:37

Severity ?

4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	cybersecurity@se.com	https://www.se.com/ww/en/download/document/SEVD-2020-196-01/	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.se.com/ww/en/download/document/SEVD-2020-196-01/	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	schneider-electric	software_update_utility	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:schneider-electric:software_update_utility:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FED78F42-0A1F-4EB4-A45C-CD781E350508",
              "versionEndIncluding": "2.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit."
    },
    {
      "lang": "es",
      "value": "CWE-601: Se presenta una vulnerabilidad de Redireccionamiento de URL a un Sitio no Confiable (\"Open Redirect\") en Schneider Electric Software Update (SESU), versiones V2.4.0 y anteriores, lo que podr\u00eda causar una ejecuci\u00f3n de c\u00f3digo malicioso en la m\u00e1quina de la v\u00edctima. A fin de explotar esta vulnerabilidad, un atacante requiere acceso privilegiado sobre la estaci\u00f3n de trabajo de ingenier\u00eda para modificar una clave de registro de Windows que desviar\u00eda todas las actualizaciones de tr\u00e1fico para pasar a trav\u00e9s de un servidor en posesi\u00f3n del atacante. Un ataque man-in-the-middle es usado para completar la explotaci\u00f3n"
    }
  ],
  "id": "CVE-2020-7520",
  "lastModified": "2024-11-21T05:37:18.200",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-23T21:15:12.550",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "cybersecurity@se.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-202007-1245

Vulnerability from variot - Updated: 2023-12-18 13:51

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202007-1245",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "software update utility",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "schneider electric",
        "version": "2.4.0"
      },
      {
        "model": "software update",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "schneider electric",
        "version": "2.4.0"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:schneider-electric:software_update_utility:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      }
    ]
  },
  "cve": "CVE-2020-7520",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 4.9,
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "High",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.0,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-008708",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 4.9,
            "id": "VHN-185645",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:H/AU:N/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 1.6,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.7,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-008708",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-7520",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-008708",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202007-1423",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-185645",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim\u0027s machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker\u0027s possession. A man-in-the-middle attack is then used to complete the exploit. An attacker could exploit this vulnerability to execute malicious code",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-7520",
        "trust": 2.5
      },
      {
        "db": "SCHNEIDER",
        "id": "SEVD-2020-196-01",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-185645",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "id": "VAR-202007-1245",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T13:51:48.683000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SEVD-2020-196-01",
        "trust": 0.8,
        "url": "https://www.se.com/ww/en/download/document/sevd-2020-196-01/"
      },
      {
        "title": "Schneider Electric Software Update Enter the fix for the verification error vulnerability",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=125186"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-601",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://www.se.com/ww/en/download/document/sevd-2020-196-01/"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-7520"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-7520"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-07-23T00:00:00",
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "date": "2020-09-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "date": "2020-07-23T21:15:12.550000",
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "date": "2020-07-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-07-28T00:00:00",
        "db": "VULHUB",
        "id": "VHN-185645"
      },
      {
        "date": "2020-09-18T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      },
      {
        "date": "2020-07-28T18:20:11.417000",
        "db": "NVD",
        "id": "CVE-2020-7520"
      },
      {
        "date": "2020-07-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Schneider Electric Software Update Open redirect vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008708"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-1423"
      }
    ],
    "trust": 0.6
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-7520 (GCVE-0-2020-7520)

GSD-2020-7520

GHSA-392J-2P2C-C7M3

CERTFR-2020-AVI-446

Solution

CERTFR-2020-AVI-446

Solution

FKIE_CVE-2020-7520

VAR-202007-1245

Tags

Sightings

Nomenclature