cvelistv5 - cve-2020-8477

CVE-2020-8477 (GCVE-0-2020-8477)

Vulnerability from cvelistv5 – Published: 2020-04-22 14:46 – Updated: 2024-08-04 10:03

Summary

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-79 - Cross-site Scripting (XSS)
CWE-489 - Leftover Debug Code

Assigner

ABB

References

URL

	Vendor	Product	Version
	ABB	System 800xA Information Manager	Affected: 5 , ≤ 5.1 (custom) Affected: 6.0 , ≤ 6.0.3.2 (custom) Affected: 6.1 , < 6.1* (custom)

GSD-2020-8477

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-8477

Aliases

CVE-2020-8477

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-8477",
    "description": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code.",
    "id": "GSD-2020-8477"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-8477"
      ],
      "details": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code.",
      "id": "GSD-2020-8477",
      "modified": "2023-12-13T01:21:53.647118Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@ch.abb.com",
        "ID": "CVE-2020-8477",
        "STATE": "PUBLIC",
        "TITLE": "ABB System 800xA Information Manager Remote Code Execution"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "System 800xA Information Manager",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "5",
                          "version_value": "5.1"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_name": "6.0",
                          "version_value": "6.0.3.2"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_name": "6.1",
                          "version_value": "6.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ABB"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79 Cross-site Scripting (XSS)"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-489 Leftover Debug Code"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
            "refsource": "MISC",
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:abb:800xa_information_manager:5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:800xa_information_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.0.3.2",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:800xa_information_manager:6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "ID": "CVE-2020-8477"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-04-30T20:27Z",
      "publishedDate": "2020-04-22T15:15Z"
    }
  }
}

ICSA-20-184-02

Vulnerability from csaf_cisa - Published: 2020-07-02 00:00 - Updated: 2020-07-02 00:00

Summary

ABB System 800xA Information Manager

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to inject and execute arbitrary code on the information manager server.

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "William Knowles"
        ],
        "organization": "Applied Risk",
        "summary": "reporting this vulnerability to ABB"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to inject and execute arbitrary code on the information manager server.",
        "title": "Risk evaluation"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-184-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-184-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-184-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-184-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "ABB System 800xA Information Manager",
    "tracking": {
      "current_release_date": "2020-07-02T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-20-184-02",
      "initial_release_date": "2020-07-02T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-07-02T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-20-184-02 ABB System 800xA Information Manager"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 6.0.3.3 RU1",
                "product": {
                  "name": "System 800xA Information Manager: Versions prior to 6.0.3.3 RU1",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "System 800xA Information Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 5.1 Rev E/5.1 FP4 Rev E TC6",
                "product": {
                  "name": "System 800xA Information Manager: Versions prior to 5.1 Rev E/5.1 FP4 Rev E TC6",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "System 800xA Information Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 6.1 RU1",
                "product": {
                  "name": "System 800xA Information Manager: Versions prior to 6.1 RU1",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "System 800xA Information Manager"
          }
        ],
        "category": "vendor",
        "name": "ABB"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8477",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product is vulnerable to a remote code execution attack that may allow an attacker to remotely execute arbitrary code. Successful exploitation of this vulnerability requires luring a user (on a host with the vulnerable IM component installed) to access a malicious website that instructs the user \u0027s browser to load the vulnerable component before passing malicious input. This could cause the Display Services functionality to stop or malfunction.CVE-2020-8477 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8477"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "This vulnerability was corrected in System 800xA of the following versions: 5.1 Rev E/5.1 FP4 E TC6, ABB recommends users on the 5.1 track to install this TC, which can be obtained from technical support upon request.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "This vulnerability was corrected in System 800xA of the following versions: 6.0.3.3 RU1, ABB recommends users on the 6.0.3 LTS track to update 6.0.3.3 and install RU1 for IM.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "This vulnerability was corrected in System 800xA of the following versions: 6.1 RU1, ABB recommends users on the 6.1 track to update to this version.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "The above-mentioned updates are recommended regardless of whether the previously described manual removal of the vulnerable component has been done or not. The IM rollups for 6.0.3.3 and 6.1 can be downloaded from My ABB/My Control System.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Please note this vulnerability can be exploited by remote and unauthenticated users, so users are recommended to ensure only authorized persons have access to plant assets and network and that web browsing from system nodes to external networks is restricted, especially from an IM node.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Check that the usage of the Access Enable key in AC 800M HI and the configured access level of SIL variables corresponds to the risk analysis.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Successful exploitation of this vulnerability requires luring a user to a malicious website. Recommended baseline security practices and firewall configurations can help protect a network and its attached devices from attacks that originate from outside the network.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Recommended baseline security practices and firewall configurations can help protect a network and its attached devices from attacks that originate from outside the network. For example, common practices are for process control systems to be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that must be evaluated case by case.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Process control and automation systems should not be used for general business functions (e.g., Internet browsing, email, etc.) that are not critical industrial processes. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system with a minimal number of ports exposed. For more information please refer to ABB\u0027s Cybersecurity Advisory.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

CNVD-2020-25013

Vulnerability from cnvd - Published: 2020-04-23

Title

ABB System 800xA Information Manager存在未明漏洞

Description

ABB System 800xA Information Manager是瑞士ABB公司的一套信息管理系统。该系统支持访问自动化系统中所有应用程序的实时和历史信息等。 ABB System 800xA Information Manager 5.1版本、6.0版本至6.0.3.2版本和6.1版本中存在安全漏洞。攻击者可利用该漏洞执行任意代码。

Severity

高

Patch Name

ABB System 800xA Information Manager存在未明漏洞的补丁

Patch Description

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://new.abb.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-8477

Impacted products

Name
['ABB ABB System 800xA Information Manager 5.1', 'ABB ABB System 800xA Information Manager >=6.0，<=6.0.3.2', 'ABB ABB System 800xA Information Manager 6.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8477"
    }
  },
  "description": "ABB System 800xA Information Manager\u662f\u745e\u58ebABB\u516c\u53f8\u7684\u4e00\u5957\u4fe1\u606f\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u8bbf\u95ee\u81ea\u52a8\u5316\u7cfb\u7edf\u4e2d\u6240\u6709\u5e94\u7528\u7a0b\u5e8f\u7684\u5b9e\u65f6\u548c\u5386\u53f2\u4fe1\u606f\u7b49\u3002\n\nABB System 800xA Information Manager 5.1\u7248\u672c\u30016.0\u7248\u672c\u81f36.0.3.2\u7248\u672c\u548c6.1\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://new.abb.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-25013",
  "openTime": "2020-04-23",
  "patchDescription": "ABB System 800xA Information Manager\u662f\u745e\u58ebABB\u516c\u53f8\u7684\u4e00\u5957\u4fe1\u606f\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u8bbf\u95ee\u81ea\u52a8\u5316\u7cfb\u7edf\u4e2d\u6240\u6709\u5e94\u7528\u7a0b\u5e8f\u7684\u5b9e\u65f6\u548c\u5386\u53f2\u4fe1\u606f\u7b49\u3002\r\n\r\nABB System 800xA Information Manager 5.1\u7248\u672c\u30016.0\u7248\u672c\u81f36.0.3.2\u7248\u672c\u548c6.1\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ABB System 800xA Information Manager\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ABB ABB System 800xA Information Manager 5.1",
      "ABB ABB System 800xA Information Manager \u003e=6.0\uff0c\u003c=6.0.3.2",
      "ABB ABB System 800xA Information Manager 6.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-8477",
  "serverity": "\u9ad8",
  "submitTime": "2020-04-23",
  "title": "ABB System 800xA Information Manager\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

FKIE_CVE-2020-8477

Vulnerability from fkie_nvd - Published: 2020-04-22 15:15 - Updated: 2024-11-21 05:38

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	cybersecurity@ch.abb.com	https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

Impacted products

Vendor	Product	Version
abb	800xa_information_manager	*
abb	800xa_information_manager	5.1
abb	800xa_information_manager	6.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:abb:800xa_information_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4A08380-B93C-462D-8350-79C886FCF48C",
              "versionEndIncluding": "6.0.3.2",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:800xa_information_manager:5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5990ADCE-C4A5-4153-BE11-B877C23E0186",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:800xa_information_manager:6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC39FF5F-DE4F-428D-984B-331CC501DC6D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code."
    },
    {
      "lang": "es",
      "value": "Las instalaciones de ABB System 800xA Information Manager versiones 5.1, versiones 6.0 hasta 6.0.3.2 y versi\u00f3n 6.1, contienen incorrectamente un componente auxiliar. Un atacante puede usar esto para un ataque de tipo XSS hacia un usuario local autenticado, lo que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo arbitrario."
    }
  ],
  "id": "CVE-2020-8477",
  "lastModified": "2024-11-21T05:38:54.967",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "cybersecurity@ch.abb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-22T15:15:14.863",
  "references": [
    {
      "source": "cybersecurity@ch.abb.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "sourceIdentifier": "cybersecurity@ch.abb.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-489"
        }
      ],
      "source": "cybersecurity@ch.abb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-202004-2159

Vulnerability from variot - Updated: 2023-12-18 13:51

The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code. ABB System 800xA Information Manager Exists in a cross-site scripting vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The system supports access to real-time and historical information of all applications in the automation system

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202004-2159",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "system 800xa information manager",
        "scope": "eq",
        "trust": 2.0,
        "vendor": "abb",
        "version": "6.1"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 1.8,
        "vendor": "abb",
        "version": "*"
      },
      {
        "model": "system 800xa information manager",
        "scope": "eq",
        "trust": 1.4,
        "vendor": "abb",
        "version": "5.1"
      },
      {
        "model": "800xa information manager",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "abb",
        "version": "6.0.3.2"
      },
      {
        "model": "800xa information manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "5.1"
      },
      {
        "model": "800xa information manager",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "abb",
        "version": "6.0.0"
      },
      {
        "model": "800xa information manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "6.1"
      },
      {
        "model": "system 800xa information manager",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "abb",
        "version": "6.0 \u304b\u3089 6.0.3.2"
      },
      {
        "model": "system 800xa information manager",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "abb",
        "version": "5.1*"
      },
      {
        "model": "system 800xa information manager",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "abb",
        "version": "6.0\u003c=6.0.3.2"
      },
      {
        "model": "system 800xa information manager",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "abb",
        "version": "6.0,\u003c=6.0.3.2"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:abb:800xa_information_manager:5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:800xa_information_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.0.3.2",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:800xa_information_manager:6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      }
    ]
  },
  "cve": "CVE-2020-8477",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-004735",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2020-25013",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "12e913e3-3031-4345-a042-2b0d4eacb530",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "860e432b-063b-4999-a116-57846b798bf8",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-186602",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-004735",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-8477",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "cybersecurity@ch.abb.com",
            "id": "CVE-2020-8477",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-004735",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-25013",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202004-1906",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "12e913e3-3031-4345-a042-2b0d4eacb530",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "860e432b-063b-4999-a116-57846b798bf8",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-186602",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code. ABB System 800xA Information Manager Exists in a cross-site scripting vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The system supports access to real-time and historical information of all applications in the automation system",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      }
    ],
    "trust": 2.79
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-8477",
        "trust": 3.7
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-20-184-02",
        "trust": 1.4
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013",
        "trust": 1.3
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-1906",
        "trust": 1.3
      },
      {
        "db": "JVN",
        "id": "JVNVU96482880",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735",
        "trust": 0.8
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.2295",
        "trust": 0.6
      },
      {
        "db": "NSFOCUS",
        "id": "46753",
        "trust": 0.6
      },
      {
        "db": "IVD",
        "id": "12E913E3-3031-4345-A042-2B0D4EACB530",
        "trust": 0.2
      },
      {
        "db": "IVD",
        "id": "D08F5232-65F7-48CD-A26B-3ED5516B140F",
        "trust": 0.2
      },
      {
        "db": "IVD",
        "id": "860E432B-063B-4999-A116-57846B798BF8",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ]
  },
  "id": "VAR-202004-2159",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      }
    ],
    "trust": 2.08571427
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 1.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:51:55.072000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SECURITY System 800xA InformationManager - Remote Code Execution",
        "trust": 0.8,
        "url": "https://search.abb.com/library/download.aspx?documentid=2paa121232\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.0,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-8477"
      },
      {
        "trust": 1.6,
        "url": "https://search.abb.com/library/download.aspx?documentid=2paa121232\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      },
      {
        "trust": 1.4,
        "url": "https://www.us-cert.gov/ics/advisories/icsa-20-184-02"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8477"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu96482880/"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/46753"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.2295/"
      },
      {
        "trust": 0.1,
        "url": "https://search.abb.com/library/download.aspx?documentid=2paa121232\u0026amp;languagecode=en\u0026amp;documentpartid=\u0026amp;action=launch"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-04-22T00:00:00",
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "date": "2020-04-22T00:00:00",
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "date": "2020-04-22T00:00:00",
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      },
      {
        "date": "2020-04-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "date": "2020-04-22T00:00:00",
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "date": "2020-05-26T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "date": "2020-04-22T15:15:14.863000",
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "date": "2020-04-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-02-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-25013"
      },
      {
        "date": "2020-04-30T00:00:00",
        "db": "VULHUB",
        "id": "VHN-186602"
      },
      {
        "date": "2020-07-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      },
      {
        "date": "2020-04-30T20:27:07.033000",
        "db": "NVD",
        "id": "CVE-2020-8477"
      },
      {
        "date": "2020-07-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-1906"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "ABB System 800xA Information Manager Cross-site scripting vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004735"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "IVD",
        "id": "12e913e3-3031-4345-a042-2b0d4eacb530"
      },
      {
        "db": "IVD",
        "id": "d08f5232-65f7-48cd-a26b-3ed5516b140f"
      },
      {
        "db": "IVD",
        "id": "860e432b-063b-4999-a116-57846b798bf8"
      }
    ],
    "trust": 0.6
  }
}

GHSA-H92G-5H7R-QG2W

Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-05-24 17:16

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-8477"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-22T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code.",
  "id": "GHSA-h92g-5h7r-qg2w",
  "modified": "2022-05-24T17:16:11Z",
  "published": "2022-05-24T17:16:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8477"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-8477 (GCVE-0-2020-8477)

GSD-2020-8477

ICSA-20-184-02

CNVD-2020-25013

FKIE_CVE-2020-8477

VAR-202004-2159

GHSA-H92G-5H7R-QG2W

Tags

Sightings

Nomenclature