CVE-2020-7496 - OpenCVE

A CWE-88: Argument Injection or Modification vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause unauthorized write access when opening the project file.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Se	Ecostruxure Operator Terminal Expert

Configuration 1 [-]

OR	cpe:2.3:a:se:ecostruxure_operator_terminal_expert::::::::
	cpe:2.3:a:se:ecostruxure_operator_terminal_expert:3.1:-::::::
	cpe:2.3:a:se:ecostruxure_operator_terminal_expert:3.1:sp1::::::

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2020-133-04	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2020-06-16T19:13:29

Updated: 2020-06-16T19:13:29

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7496

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-06-16T20:15:14.537

Modified: 2020-06-18T19:58:15.077

Link: CVE-2020-7496

JSON object: View

Redhat Information

No data.

CWE

CWE-88

{"containers": {"cna": {"affected": [{"product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)", "vendor": "n/a", "versions": [{"status": "affected", "version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-88: Argument Injection or Modification vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause unauthorized write access when opening the project file."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88: Argument Injection or Modification", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-16T19:13:29", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2020-7496", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)", "version": {"version_data": [{"version_value": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-88: Argument Injection or Modification vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause unauthorized write access when opening the project file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-88: Argument Injection or Modification"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2020-7496", "datePublished": "2020-06-16T19:13:29", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-06-16T19:13:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:se:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3A5586F-7936-4688-8F89-8CDF9ED82188", "versionEndIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:se:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*", "matchCriteriaId": "01632EE4-278F-4002-9147-1257FC934152", "vulnerable": true}, {"criteria": "cpe:2.3:a:se:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "063E73FF-C561-4A6C-B869-23BD60798BF0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CWE-88: Argument Injection or Modification vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause unauthorized write access when opening the project file."}, {"lang": "es", "value": "Una CWE-88: Se presenta una vulnerabilidad de Inyecci\u00f3n de Argumentos o Modificaci\u00f3n en EcoStruxure Operator Terminal Expert versiones 3.1, Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podr\u00eda causar un acceso de escritura no autorizado cuando se abre el archivo del proyecto"}], "id": "CVE-2020-7496", "lastModified": "2020-06-18T19:58:15.077", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-16T20:15:14.537", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-88"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}