CVE-2020-28219 - OpenCVE

A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Ecostruxure Geo Scada Expert 2019 Ecostruxure Geo Scada Expert 2020

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2019::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2020::::::::

No data.

References

Link	Providers
https://www.se.com/ww/en/download/document/SEVD-2020-343-02/

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2020-12-11T00:51:24

Updated: 2024-08-04T16:33:58.549Z

Reserved: 2020-11-05T00:00:00

Link: CVE-2020-28219

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-11T01:15:11.860

Modified: 2020-12-16T18:57:53.423

Link: CVE-2020-28219

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1)", "vendor": "n/a", "versions": [{"status": "affected", "version": "EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T00:51:24", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-02/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2020-28219", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1)", "version": {"version_data": [{"version_value": "EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522: Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2020-343-02/", "refsource": "CONFIRM", "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-02/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:33:58.549Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-02/"}]}]}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2020-28219", "datePublished": "2020-12-11T00:51:24", "dateReserved": "2020-11-05T00:00:00", "dateUpdated": "2024-08-04T16:33:58.549Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2019:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A09EFF5-C84A-4E86-ACC8-49F3225D851A", "versionEndIncluding": "81.7578.1", "versionStartIncluding": "81.7268.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_geo_scada_expert_2020:*:*:*:*:*:*:*:*", "matchCriteriaId": "F825CB53-AC99-4CD3-91F8-8D8198165E3A", "versionEndIncluding": "83.7578.1", "versionStartIncluding": "83.7551.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX."}, {"lang": "es", "value": "Una CWE-522: Se presenta una vulnerabilidad de Credenciales Insuficientemente Protegidas en EcoStruxure Geo SCADA Expert 2019 (versi\u00f3n original y Actualizaciones Mensuales hasta Septiembre de 2020, desde 81.7268.1 hasta 81.7578.1) y EcoStruxure Geo SCADA Expert 2020 (versi\u00f3n original y Actualizaciones Mensuales hasta Septiembre de 2020), desde 83.7551.1 hasta 83.7578.1), que podr\u00eda causar la exposici\u00f3n de las credenciales a los usuarios del lado del servidor cuando los usuarios web inician sesi\u00f3n en Virtual ViewX"}], "id": "CVE-2020-28219", "lastModified": "2020-12-16T18:57:53.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-11T01:15:11.860", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-02/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "cybersecurity@se.com", "type": "Primary"}]}