FKIE_CVE-2020-7545

Vulnerability from fkie_nvd - Published: 2020-12-01 15:15 - Updated: 2024-11-21 05:37
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-284:Improper Access Control vulnerability exists in EcoStruxureª and SmartStruxureª Power Monitoring and SCADA Software (see security notification for version information) that could allow for arbitrary code execution on the server when an authorized user access an affected webpage.
References
cybersecurity@se.comhttps://www.se.com/ww/en/download/document/SEVD-2020-287-04/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.se.com/ww/en/download/document/SEVD-2020-287-04/Vendor Advisory
Impacted products
Vendor Product Version
schneider-electric ecostruxure_energy_expert 2.0
schneider-electric ecostruxure_power_monitoring_expert 7.0
schneider-electric ecostruxure_power_monitoring_expert 8.0
schneider-electric ecostruxure_power_monitoring_expert 9.0
schneider-electric power_manager 1.1
schneider-electric power_manager 1.2
schneider-electric power_manager 1.3
schneider-electric powerscada_expert_with_advanced_reporting_and_dashboards 8.0
schneider-electric powerscada_operation_with_advanced_reporting_and_dashboards 9.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_energy_expert:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDF7DFC6-6F41-491B-A703-6AB0143FE5B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6819EA7A-C803-480F-98DF-44DA144FE488",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "66E928C4-87C8-4BD6-9131-B7D558330CBA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0BEB4F4B-0B22-47CA-B173-C06C1A925348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:power_manager:1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FC0093C-00CE-43A8-80EC-0509992E637B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:power_manager:1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE9A1DF0-42B8-4123-8276-1D4BED156034",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:power_manager:1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "54A54A8D-40F5-4E75-A524-B81E487DB274",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:powerscada_expert_with_advanced_reporting_and_dashboards:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CC2CF9D-8D0C-4FD3-94A2-34A63E297B81",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:powerscada_operation_with_advanced_reporting_and_dashboards:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC8F406C-868A-443C-8842-6CFFFF17C236",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A CWE-284:Improper Access Control vulnerability exists in EcoStruxure\u00aa and SmartStruxure\u00aa Power Monitoring and SCADA Software (see security notification for version information) that could allow for arbitrary code execution on the server when an authorized user access an affected webpage."
    },
    {
      "lang": "es",
      "value": "Una CWE-284: Se presenta una vulnerabilidad Control de Acceso Inapropiado en el Software EcoStruxure\u00aa y SmartStruxure\u00aa Power Monitoring and SCADA (v\u00e9ase la notificaci\u00f3n de seguridad para la informaci\u00f3n de la versi\u00f3n) que podr\u00eda permitir una ejecuci\u00f3n de c\u00f3digo arbitraria en el servidor cuando un usuario autorizado accede a una p\u00e1gina web afectada"
    }
  ],
  "id": "CVE-2020-7545",
  "lastModified": "2024-11-21T05:37:21.233",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-12-01T15:15:12.297",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-287-04/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-287-04/"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "cybersecurity@se.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.