CVE-2020-12527 - Vulnerability Details - OpenCVE

An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00146.

Key SSVC decision points have not yet been added.

Vendors	Products
Helmholz	Myrex24 Myrex24.virtual
Mbconnectline	Mbconnect24 Mymbconnect24

Configuration 1 [-]

OR	cpe:2.3:a:mbconnectline:mbconnect24::::::::
	cpe:2.3:a:mbconnectline:mymbconnect24::::::::

Configuration 2 [-]

OR	cpe:2.3:a:helmholz:myrex24::::::::
	cpe:2.3:a:helmholz:myrex24.virtual::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-4829	An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions.

Fixes

Solution

Update to v2.12.1

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2021-003
https://cert.vde.com/en/advisories/VDE-2022-039

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2021-03-02T21:15:24.885533Z

Updated: 2024-09-16T20:43:07.472Z

Reserved: 2020-04-30T00:00:00

Link: CVE-2020-12527

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-02T22:15:12.387

Modified: 2024-11-21T04:59:52.400

Link: CVE-2020-12527

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "mymbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.11.2", "status": "affected", "version": "2.6.2", "versionType": "custom"}]}, {"product": "mbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.11.2", "status": "affected", "version": "2.6.2", "versionType": "custom"}]}, {"product": "myREX24", "vendor": "Helmholz", "versions": [{"lessThanOrEqual": "2.11.2", "status": "affected", "version": "2", "versionType": "custom"}]}, {"product": "myREX24.virtual", "vendor": "Helmholz", "versions": [{"status": "affected", "version": "2.11.2"}]}], "credits": [{"lang": "en", "value": "OTORIO reported the vulnerabilities to MB connect line. CERT@VDE coordinated."}], "datePublic": "2022-09-07T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T06:10:07", "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en/advisories/VDE-2021-003"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en/advisories/VDE-2022-039"}], "solutions": [{"lang": "en", "value": "Update to v2.12.1"}], "source": {"advisory": "VDE-2021-003", "discovery": "EXTERNAL"}, "title": "Improper Access Validation in products of MB connect line and Helmholz", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "info@cert.vde.com", "DATE_PUBLIC": "2022-09-07T12:50:00.000Z", "ID": "CVE-2020-12527", "STATE": "PUBLIC", "TITLE": "Improper Access Validation in products of MB connect line and Helmholz"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mymbCONNECT24", "version": {"version_data": [{"version_affected": "<=", "version_name": "2.6.2", "version_value": "2.11.2"}]}}, {"product_name": "mbCONNECT24", "version": {"version_data": [{"version_affected": "<=", "version_name": "2.6.2", "version_value": "2.11.2"}]}}]}, "vendor_name": "MB connect line"}, {"product": {"product_data": [{"product_name": "myREX24", "version": {"version_data": [{"version_affected": "<=", "version_name": "2", "version_value": "2.11.2"}]}}, {"product_name": "myREX24.virtual", "version": {"version_data": [{"version_name": "2", "version_value": "2.11.2"}]}}]}, "vendor_name": "Helmholz"}]}}, "credit": [{"lang": "eng", "value": "OTORIO reported the vulnerabilities to MB connect line. CERT@VDE coordinated."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269 Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/en/advisories/VDE-2021-003", "refsource": "CONFIRM", "url": "https://cert.vde.com/en/advisories/VDE-2021-003"}, {"name": "https://cert.vde.com/en/advisories/VDE-2022-039", "refsource": "CONFIRM", "url": "https://cert.vde.com/en/advisories/VDE-2022-039"}]}, "solution": [{"lang": "en", "value": "Update to v2.12.1"}], "source": {"advisory": "VDE-2021-003", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:56:52.131Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert.vde.com/en/advisories/VDE-2021-003"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert.vde.com/en/advisories/VDE-2022-039"}]}]}, "cveMetadata": {"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "cveId": "CVE-2020-12527", "datePublished": "2021-03-02T21:15:24.885533Z", "dateReserved": "2020-04-30T00:00:00", "dateUpdated": "2024-09-16T20:43:07.472Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mbconnectline:mbconnect24:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D55D697-78A4-44E3-B6B6-E5349C610148", "versionEndIncluding": "2.11.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mbconnectline:mymbconnect24:*:*:*:*:*:*:*:*", "matchCriteriaId": "04561EEC-B011-46F8-8C56-E5546D0ECD6A", "versionEndIncluding": "2.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helmholz:myrex24:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EE3EED2-43AC-4129-B2C8-88DEBFEF8BA0", "versionEndIncluding": "2.11.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:helmholz:myrex24.virtual:*:*:*:*:*:*:*:*", "matchCriteriaId": "847B9BE1-D7E5-4B6B-A59D-282BB58A8B64", "versionEndIncluding": "2.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions."}, {"lang": "es", "value": "Se ha descubierto un problema en la l\u00ednea de conexi\u00f3n MB mymbCONNECT24, mbCONNECT24 y Helmholz myREX24 y myREX24.virtual en todas las versiones hasta la v2.11.2. Una validaci\u00f3n de acceso inadecuada permite a un usuario conectado apagar o reiniciar los dispositivos de su cuenta sin tener los permisos correspondientes"}], "id": "CVE-2020-12527", "lastModified": "2024-11-21T04:59:52.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2021-03-02T22:15:12.387", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2021-003"}, {"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-039"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2021-003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-039"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "info@cert.vde.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Secondary"}]}