CVE-2020-12502 Pepperl+Fuchs improper authorization affects multiple Comtrol RocketLinx products

🗓️ 15 Oct 2020 18:42:57Reported by CERTVDEType

CVE-2020-12502 P+F Comtrol RocketLinx unauthorized device admin

Reporter	Title	Published	Views	Family All 11
0day.today	Korenix CSRF / Backdoor Accounts / Command Injection / Missing Authentication Vulnerabilities	1 Jun 202100:00	–	zdt
0day.today	Korenix Technology JetWave CSRF / Command Injection / Missing Authentication Vulnerabilities	5 Feb 202200:00	–	zdt
Circl	CVE-2020-12502	7 Oct 202011:00	–	circl
CVE	CVE-2020-12502	15 Oct 202018:42	–	cve
EUVD	EUVD-2020-4804	7 Oct 202500:30	–	euvd
NVD	CVE-2020-12502	15 Oct 202019:15	–	nvd
OSV	CVE-2020-12502	15 Oct 202019:15	–	osv
Packet Storm	Korenix CSRF / Backdoor Accounts / Command Injection / Missing Authentication	1 Jun 202100:00	–	packetstorm
Packet Storm	Korenix Technology JetWave CSRF / Command Injection / Missing Authentication	4 Feb 202200:00	–	packetstorm
Prion	Authorization	15 Oct 202019:15	–	prion

[
  {
    "product": "P+F Comtrol RocketLinx",
    "vendor": "Pepperl+Fuchs",
    "versions": [
      {
        "status": "affected",
        "version": "ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F,  ES8510-XTE, ES9528/ES9528-XT all"
      },
      {
        "lessThan": "2.1.1",
        "status": "affected",
        "version": "ES7510-XT",
        "versionType": "custom"
      },
      {
        "lessThan": "3.1.1",
        "status": "affected",
        "version": "ES8510",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "P+F Comtrol RocketLinx",
    "vendor": "Pepperl+Fuchs",
    "versions": [
      {
        "lessThanOrEqual": "1.2.3",
        "status": "affected",
        "version": "ICRL-M-8RJ45/4SFP-G-DIN",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "1.2.3",
        "status": "affected",
        "version": "ICRL-M-16RJ45/4CP-G-DIN",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "JetNet",
    "vendor": "Korenix",
    "versions": [
      {
        "lessThanOrEqual": "V1.0",
        "status": "affected",
        "version": "5428G-20SFP",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "V1.1",
        "status": "affected",
        "version": "5810G",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "V2.3b",
        "status": "affected",
        "version": "4706F",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "V3.0b",
        "status": "affected",
        "version": "4510",
        "versionType": "custom"
      },
      {
        "lessThan": "V1.6",
        "status": "affected",
        "version": "5310",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "PMI-110-F2G",
    "vendor": "Westermo",
    "versions": [
      {
        "lessThan": "V1.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
cert	www.cert.vde.com/de-de/advisories/vde-2020-040
seclists	www.seclists.org/fulldisclosure/2021/Jun/0
packetstormsecurity	www.packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html
cert	www.cert.vde.com/en-us/advisories/vde-2020-053
packetstormsecurity	www.packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html
sec-consult	www.sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/

04 Feb 2022 19:06Current

8.8High risk

Vulners AI Score8.8

CVSS 3.18.8

EPSS0.01015

CWE-352