Lucene search

[email protected]CVE-2020-7541

HistoryDec 11, 2020 - 1:15 a.m.

CVE-2020-7541

2020-12-1101:15:00

CWE-425

[email protected]

web.nvd.nist.gov

cve-2020-7541

cwe-425

direct request

forced browsing

vulnerability

modicon m340

modicon quantum

modicon premium

sensitive data disclosure

http

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

35.4%

JSON

A CWE-425: Direct Request (‘Forced Browsing’) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.

CPENameOperatorVersion
schneider-electric:modicon_m340_bmxp341000_firmwareschneider-electric modicon m340 bmxp341000 firmwarelt3.30
schneider-electric:modicon_m340_bmxp342000_firmwareschneider-electric modicon m340 bmxp342000 firmwarelt3.30
schneider-electric:modicon_m340_bmxp3420102_firmwareschneider-electric modicon m340 bmxp3420102 firmwarelt3.30
schneider-electric:modicon_m340_bmxp3420102cl_firmwareschneider-electric modicon m340 bmxp3420102cl firmwarelt3.30
schneider-electric:modicon_m340_bmxp342020_firmwareschneider-electric modicon m340 bmxp342020 firmwarelt3.30
schneider-electric:modicon_m340_bmxp3420302_firmwareschneider-electric modicon m340 bmxp3420302 firmwarelt3.30
schneider-electric:modicon_m340_bmxp3420302cl_firmwareschneider-electric modicon m340 bmxp3420302cl firmwarelt3.30
schneider-electric:bmxnoe0100_firmwareschneider-electric bmxnoe0100 firmwarelt3.3
schneider-electric:bmxnoe0110_firmwareschneider-electric bmxnoe0110 firmwarelt6.5
schneider-electric:bmxnoc0401_firmwareschneider-electric bmxnoc0401 firmwarelt2.10

CPE	Name	Operator	Version
schneider-electric:modicon_m340_bmxp341000_firmware	schneider-electric modicon m340 bmxp341000 firmware	lt	3.30
schneider-electric:modicon_m340_bmxp342000_firmware	schneider-electric modicon m340 bmxp342000 firmware	lt	3.30
schneider-electric:modicon_m340_bmxp3420102_firmware	schneider-electric modicon m340 bmxp3420102 firmware	lt	3.30
schneider-electric:modicon_m340_bmxp3420102cl_firmware	schneider-electric modicon m340 bmxp3420102cl firmware	lt	3.30
schneider-electric:modicon_m340_bmxp342020_firmware	schneider-electric modicon m340 bmxp342020 firmware	lt	3.30
schneider-electric:modicon_m340_bmxp3420302_firmware	schneider-electric modicon m340 bmxp3420302 firmware	lt	3.30
schneider-electric:modicon_m340_bmxp3420302cl_firmware	schneider-electric modicon m340 bmxp3420302cl firmware	lt	3.30
schneider-electric:bmxnoe0100_firmware	schneider-electric bmxnoe0100 firmware	lt	3.3
schneider-electric:bmxnoe0110_firmware	schneider-electric bmxnoe0110 firmware	lt	6.5
schneider-electric:bmxnoc0401_firmware	schneider-electric bmxnoc0401 firmware	lt	2.10

Rows per page:

1-10 of 201

References

www.se.com/ww/en/download/document/SEVD-2020-343-03/

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

35.4%

JSON

Related for CVE-2020-7541

cvelist1 prion1 nessus1