OpenCVE

Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Barco	Transform N Transform Ndn-210 Lite Transform Ndn-210 Pro Transform Ndn-211 Lite Transform Ndn-211 Pro

Configuration 1 [-]

AND

cpe:2.3:o:barco:transform_n:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:barco:transform_ndn-210_lite:-:::::::*
	cpe:2.3:h:barco:transform_ndn-210_pro:-:::::::*
	cpe:2.3:h:barco:transform_ndn-211_lite:-:::::::*
	cpe:2.3:h:barco:transform_ndn-211_pro:-:::::::*

No data.

References

Link	Providers
https://www.barco.com/en/support/cms
https://www.barco.com/en/support/knowledge-base/kb11589
https://www.barco.com/en/support/transform-n-management-server

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-08T17:15:57

Updated: 2024-08-04T14:00:47.544Z

Reserved: 2020-08-12T00:00:00

Link: CVE-2020-17502

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-01-08T18:15:13.027

Modified: 2024-11-21T05:08:14.267

Link: CVE-2020-17502

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-08T17:15:56", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.barco.com/en/support/transform-n-management-server"}, {"tags": ["x_refsource_MISC"], "url": "https://www.barco.com/en/support/cms"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-17502", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.barco.com/en/support/transform-n-management-server", "refsource": "MISC", "url": "https://www.barco.com/en/support/transform-n-management-server"}, {"name": "https://www.barco.com/en/support/cms", "refsource": "MISC", "url": "https://www.barco.com/en/support/cms"}, {"name": "https://www.barco.com/en/support/knowledge-base/kb11589", "refsource": "CONFIRM", "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:47.544Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.barco.com/en/support/transform-n-management-server"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.barco.com/en/support/cms"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-17502", "datePublished": "2021-01-08T17:15:57", "dateReserved": "2020-08-12T00:00:00", "dateUpdated": "2024-08-04T14:00:47.544Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:barco:transform_n:*:*:*:*:*:*:*:*", "matchCriteriaId": "094B6FC0-DA52-4C94-8992-13522E60090C", "versionEndExcluding": "3.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:barco:transform_ndn-210_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "2BD8D359-AD98-4C2E-BBB6-16E4D00C9FA8", "vulnerable": false}, {"criteria": "cpe:2.3:h:barco:transform_ndn-210_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "44DD99C7-46AC-43FF-86AB-0B4CC222C902", "vulnerable": false}, {"criteria": "cpe:2.3:h:barco:transform_ndn-211_lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8BF9D72-7D56-4E72-A66C-62D4232C57B6", "vulnerable": false}, {"criteria": "cpe:2.3:h:barco:transform_ndn-211_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "C9F7E77D-CCD3-4FF6-8D5E-0F745136B339", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards."}, {"lang": "es", "value": "Barco TransForm N versiones anteriores a 3.8, permite una Inyecci\u00f3n de Comandos (problema 2 de 4). El NDN-210 presenta un panel de administraci\u00f3n web que est\u00e1 disponible a trav\u00e9s de https. Se presenta un problema de inyecci\u00f3n de comandos que permitir\u00e1 a usuarios autenticados del panel de administraci\u00f3n llevar a cabo una ejecuci\u00f3n de c\u00f3digo remota autenticada. Se presenta un problema en el archivo split_card_cmd.php en el que los par\u00e1metros http xmodules, ymodules y savelocking no son manejados apropiadamente. El NDN-210 es parte de la soluci\u00f3n de Barco TransForm N e incluye el parche desde TransForm N versi\u00f3n 3.8 en adelante"}], "id": "CVE-2020-17502", "lastModified": "2024-11-21T05:08:14.267", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-08T18:15:13.027", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.barco.com/en/support/cms"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.barco.com/en/support/transform-n-management-server"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.barco.com/en/support/cms"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.barco.com/en/support/knowledge-base/kb11589"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://www.barco.com/en/support/transform-n-management-server"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}