← Back

CVE-2020-15809

nvd nist
Published: Mar 24, 2021Modified: Nov 21, 2024

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

spxmanage on certain SpinetiX devices allows requests that access unintended resources because of SSRF and Path Traversal. This affects HMP350, HMP300, and DiVA through 4.5.2-1.0.36229; HMP400 and HMP400W through 4.5.2-1.0.2-1eb2ffbd; and DSOS through 4.5.2-1.0.2-1eb2ffbd.

Affected (6)

Spinetix
6 products
Dsos
Hmp350 Firmware
Hmp300 Firmware
Diva Firmware
Hmp400 Firmware
Hmp400w Firmware
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Dsos
Up to 4.5.2-1.0.2-1eb2ffbd
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Hmp350 Firmware
Up to 4.5.2-1.0.36229
Running on/withPlatform Versions
Spinetix
Hmp350
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Hmp300 Firmware
Up to 4.5.2-1.0.36229
Running on/withPlatform Versions
Spinetix
Hmp300
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Diva Firmware
Up to 4.5.2-1.0.36229
Running on/withPlatform Versions
Spinetix
Diva
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Hmp400 Firmware
Up to 4.5.2-1.0.2-1eb2ffbd
Running on/withPlatform Versions
Spinetix
Hmp400
All versions
Configuration F
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Hmp400w Firmware
Up to 4.5.2-1.0.2-1eb2ffbd
Running on/withPlatform Versions
Spinetix
Hmp400w
All versions

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

Source: cve@mitre.org
Release NotesVendor Advisory
Source: cve@mitre.org
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory

Timeline

No history available yet.