← Back

CVE-2021-20827

nvd nist
Published: Dec 24, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

Affected (5)

Idec
5 products
Microsmart Fc6a Firmware
Microsmart Plus Fc6a Firmware
Data File Manager
Windedit
Windldr
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Microsmart Fc6a Firmware
Up to 2.32
Running on/withPlatform Versions
Idec
Microsmart Fc6a
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Microsmart Plus Fc6a Firmware
Up to 1.91
Running on/withPlatform Versions
Idec
Microsmart Plus Fc6a
All versions
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Data File Manager
Up to 2.12.1
Windedit
Up to 1.3.1
Windldr
Up to 8.19.1

Related CWEs

CWE-312
Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (4)

Source: vultures@jpcert.or.jp
Third Party Advisory
Source: vultures@jpcert.or.jp
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.