CVE-2020-12495

Published: Nov 19, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management. The affected device has a web-based user interface with a role-based access system. Users with different roles have different write and read privileges. The access system is based on dynamic "tokens". The vulnerability is that user sessions are not closed correctly and a user with fewer rights is assigned the higher rights when he logs on.

Affected (4)

Products: Endress: Rsg35 Firmware, Rsg45 Firmware, Orsg35 Firmware, Orsg45 Firmware

4 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Endress Rsg35 Firmware	Before 2.0.0

Running on/with	Platform Versions
Endress Rsg35	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Endress Rsg45 Firmware	Before 2.0.0

Running on/with	Platform Versions
Endress Rsg45	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Endress Orsg35 Firmware	Before 2.0.0

Running on/with	Platform Versions
Endress Orsg35	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Endress Orsg45 Firmware	Before 2.0.0

Running on/with	Platform Versions
Endress Orsg45	All versions

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

https://cert.vde.com/en-us/advisories/vde-2020-021

Source: info@cert.vde.com

Vendor Advisory

https://cert.vde.com/en-us/advisories/vde-2020-021

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.