FKIE_CVE-2020-14502

Vulnerability from fkie_nvd - Published: 2022-02-24 19:15 - Updated: 2025-04-17 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the homepage of the web interface.
References
ics-cert@hq.dhs.govhttps://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01Mitigation, Third Party Advisory, US Government Resource
Impacted products
Vendor Product Version
rockwellautomation 1734-aentr_point_i\/o_dual_port_network_adaptor_series_b_firmware *
rockwellautomation 1734-aentr_point_i\/o_dual_port_network_adaptor_series_b_firmware *
rockwellautomation 1734-aentr_point_i\/o_dual_port_network_adaptor_series_b -
rockwellautomation 1734-aentr_point_i\/o_dual_port_network_adaptor_series_c_firmware 6.011
rockwellautomation 1734-aentr_point_i\/o_dual_port_network_adaptor_series_c_firmware 6.012
rockwellautomation 1734-aentr_point_i\/o_dual_port_network_adaptor_series_c -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_b_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC7EE03C-DA81-40CC-B522-8483E5481DCB",
              "versionEndIncluding": "4.005",
              "versionStartIncluding": "4.001",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_b_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "593FCDBB-E5D0-4E57-B10C-3FA3C72CDD75",
              "versionEndIncluding": "5.017",
              "versionStartIncluding": "5.011",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_b:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAD4BA02-28F4-4138-9E52-C12042DD997C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_c_firmware:6.011:*:*:*:*:*:*:*",
              "matchCriteriaId": "B44E467A-31EE-46BE-82AA-101C7C2EDC7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_c_firmware:6.012:*:*:*:*:*:*:*",
              "matchCriteriaId": "46D0F84C-6F68-4E2D-99AF-FA9E0682A24C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "490F9ECB-1303-4457-9D20-8ADAC160AF6C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the homepage of the web interface."
    },
    {
      "lang": "es",
      "value": "La interfaz web del m\u00f3dulo de comunicaci\u00f3n 1734-AENTR es vulnerable a un ataque de tipo XSS almacenado. Un atacante remoto no autenticado podr\u00eda almacenar un script malicioso dentro de la interfaz web que, cuando sea ejecutado, podr\u00eda modificar algunos valores de cadena en la p\u00e1gina de inicio de la interfaz web"
    }
  ],
  "id": "CVE-2020-14502",
  "lastModified": "2025-04-17T19:15:50.403",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-02-24T19:15:08.900",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.