CVE-2020-17503 - OpenCVE

The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter "locking" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Barco	Transform Ndn-211 Pro Transform Ndn-210 Pro Transform Ndn-211 Lite Transform Ndn-210 Lite Transform N

Configuration 1 [-]

AND

cpe:2.3:o:barco:transform_n:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:barco:transform_ndn-210_lite:-:::::::*
	cpe:2.3:h:barco:transform_ndn-210_pro:-:::::::*
	cpe:2.3:h:barco:transform_ndn-211_lite:-:::::::*
	cpe:2.3:h:barco:transform_ndn-211_pro:-:::::::*

References

Link	Resource
https://www.barco.com/en/support/cms	Vendor Advisory
https://www.barco.com/en/support/knowledge-base/kb11589	Vendor Advisory
https://www.barco.com/en/support/transform-n-management-server	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-08T17:17:37

Updated: 2021-01-08T17:17:37

Reserved: 2020-08-12T00:00:00

Link: CVE-2020-17503

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-08T18:15:13.090

Modified: 2021-01-14T15:30:51.413

Link: CVE-2020-17503

JSON object: View

Redhat Information

No data.

CWE

CWE-77

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter \"locking\" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-08T17:17:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.barco.com/en/support/transform-n-management-server"}, {"tags": ["x_refsource_MISC"], "url": "https://www.barco.com/en/support/cms"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-17503", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter \"locking\" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.barco.com/en/support/transform-n-management-server", "refsource": "MISC", "url": "https://www.barco.com/en/support/transform-n-management-server"}, {"name": "https://www.barco.com/en/support/cms", "refsource": "MISC", "url": "https://www.barco.com/en/support/cms"}, {"name": "https://www.barco.com/en/support/knowledge-base/kb11589", "refsource": "CONFIRM", "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-17503", "datePublished": "2021-01-08T17:17:37", "dateReserved": "2020-08-12T00:00:00", "dateUpdated": "2021-01-08T17:17:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:barco:transform_n:*:*:*:*:*:*:*:*", "matchCriteriaId": "094B6FC0-DA52-4C94-8992-13522E60090C", "versionEndExcluding": "3.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:barco:transform_ndn-210_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BD8D359-AD98-4C2E-BBB6-16E4D00C9FA8", "vulnerable": false}, {"criteria": "cpe:2.3:h:barco:transform_ndn-210_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "44DD99C7-46AC-43FF-86AB-0B4CC222C902", "vulnerable": false}, {"criteria": "cpe:2.3:h:barco:transform_ndn-211_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8BF9D72-7D56-4E72-A66C-62D4232C57B6", "vulnerable": false}, {"criteria": "cpe:2.3:h:barco:transform_ndn-211_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "C9F7E77D-CCD3-4FF6-8D5E-0F745136B339", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter \"locking\" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards."}, {"lang": "es", "value": "El NDN-210 presenta un panel de administraci\u00f3n web que est\u00e1 disponible a trav\u00e9s de https. Se presenta un problema de inyecci\u00f3n de comando que permitir\u00e1 a usuarios autenticados en el panel de administraci\u00f3n llevar a cabo una ejecuci\u00f3n de c\u00f3digo remota autenticada. Se presenta un problema en el archivo split_card_cmd.php en el que el par\u00e1metro http \"locking\" no es manejado apropiadamente. El NDN-210 es parte de la soluci\u00f3n de Barco TransForm N y esta vulnerabilidad est\u00e1 parcheada a partir de TransForm N versi\u00f3n 3.8 en adelante"}], "id": "CVE-2020-17503", "lastModified": "2021-01-14T15:30:51.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-08T18:15:13.090", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.barco.com/en/support/cms"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.barco.com/en/support/transform-n-management-server"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}