CVE-2020-12500

Published: Oct 15, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD (Secondary)

Description

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) allows unauthenticated device administration.

Affected (13)

Products: Pepperl Fuchs: Es7510 Xt Firmware, Es8509 Xt Firmware, Es8510 Xt Firmware, Es9528 Xtv2 Firmware, Es7506 Firmware, Es7510 Firmware, Es7528 Firmware, Es8508 Firmware, Es8508f Firmware, Es8510 Firmware, Es8510 Xte Firmware, Es9528 Firmware, Es9528 Xt Firmware

13 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es7510 Xt Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es7510 Xt	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es8509 Xt Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es8509 Xt	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es8510 Xt Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es8510 Xt	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es9528 Xtv2 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es9528 Xtv2	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es7506 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es7506	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es7510 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es7510	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es7528 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es7528	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es8508 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es8508	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es8508f Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es8508f	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es8510 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es8510	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es8510 Xte Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es8510 Xte	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es9528 Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es9528	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Pepperl Fuchs Es9528 Xt Firmware	All versions

Running on/with	Platform Versions
Pepperl Fuchs Es9528 Xt	All versions

Related CWEs

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (10)

http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html

Source: info@cert.vde.com

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html

Source: info@cert.vde.com

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2021/Jun/0

Source: info@cert.vde.com

ExploitMailing ListThird Party Advisory

https://cert.vde.com/de-de/advisories/vde-2020-040

Source: info@cert.vde.com

Third Party Advisory

https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/

Source: info@cert.vde.com

Third Party Advisory

http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html