CVE-2020-28221

Published: Jan 26, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.

Affected (4)

Products: Schneider Electric: Ecostruxure Operator Terminal Expert, Pro Face Blue

Schneider Electric

2 products

Ecostruxure Operator Terminal Expert

Pro Face Blue

Configuration A

2 vulnerable · 14 platform

Vulnerable Software	Affected Versions
Schneider Electric Ecostruxure Operator Terminal Expert	Version 3.1
Schneider Electric Ecostruxure Operator Terminal Expert	Version 3.1 sp1a

Running on/with	Platform Versions
Schneider Electric Hmi Sto 501	All versions
Schneider Electric Hmi Sto 511	All versions
Schneider Electric Hmi Sto 512	All versions
Schneider Electric Hmi Sto 531	All versions
Schneider Electric Hmi Sto 532	All versions
Schneider Electric Hmig3u	All versions
Schneider Electric Hmig3x	All versions
Schneider Electric Hmig5u	All versions
Schneider Electric Hmig5u2	All versions
Schneider Electric Hmist6200	All versions
Schneider Electric Hmist6400	All versions
Schneider Electric Hmist6500	All versions
Schneider Electric Hmist6600	All versions
Schneider Electric Hmist6700	All versions

Configuration B

2 vulnerable · 26 platform

Vulnerable Software	Affected Versions
Schneider Electric Pro Face Blue	Version 3.1
Schneider Electric Pro Face Blue	Version 3.1 sp1a

Running on/with	Platform Versions
Schneider Electric Gp 4104g	All versions
Schneider Electric Gp 4104w	All versions
Schneider Electric Gp 4105g	All versions
Schneider Electric Gp 4105w	All versions
Schneider Electric Gp 4106g	All versions
Schneider Electric Gp 4106w	All versions
Schneider Electric Gp 4107g	All versions
Schneider Electric Gp 4107w	All versions
Schneider Electric Sp 5400wa	All versions
Schneider Electric Sp 5500tp	All versions
Schneider Electric Sp 5500wa	All versions
Schneider Electric Sp 5600ta	All versions
Schneider Electric Sp 5600tp	All versions
Schneider Electric Sp 5600wa	All versions
Schneider Electric Sp 5660tp	All versions
Schneider Electric Sp 5700tp	All versions
Schneider Electric Sp 5700wc	All versions
Schneider Electric Sp 5800wc	All versions
Schneider Electric Sp 5b00	All versions
Schneider Electric Sp 5b10	All versions
Schneider Electric Sp 5b41	All versions
Schneider Electric St 6200wa	All versions
Schneider Electric St 6400wa	All versions
Schneider Electric St 6500wa	All versions
Schneider Electric St 6600wa	All versions
Schneider Electric St 6700wa	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://www.se.com/ww/en/download/document/SEVD-2021-012-01/

Source: cybersecurity@se.com

PatchVendor Advisory

https://www.se.com/ww/en/download/document/SEVD-2021-012-01/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.