← Back

CVE-2020-28209

nvd nist
Published: Nov 19, 2020Modified: May 28, 2026

JSON object

Loading...
7.0
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.0 / Impact: 5.9
Source: NVD

Description

A CWE-428 Windows Unquoted Search Path vulnerability exists in EcoStruxure Building Operation Enterprise Server installer V1.9 - V3.1 and Enterprise Central installer V2.0 - V3.1 that could cause any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central is always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location.

Affected (1)

Schneider Electric
1 product
Enterprise Server Installer
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Enterprise Server Installer
From 1.9 to 3.1
Running on/withPlatform Versions
Microsoft
Windows
All versions

Related CWEs

CWE-428
Unquoted Search Path or Element
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

References (2)

Source: cybersecurity@se.com
PatchProductVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchProductVendor Advisory

Timeline

No history available yet.