CVE-2020-7493 - OpenCVE

A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Ecostruxure Operator Terminal Expert

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-::::::
	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1::::::

No data.

References

Link	Providers
https://www.se.com/ww/en/download/document/SEVD-2020-133-04

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2020-06-16T19:10:35

Updated: 2024-08-04T09:33:19.454Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7493

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-16T20:15:14.270

Modified: 2020-06-17T20:15:43.167

Link: CVE-2020-7493

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)", "vendor": "n/a", "versions": [{"status": "affected", "version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-16T19:10:35", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2020-7493", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)", "version": {"version_data": [{"version_value": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:33:19.454Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}]}]}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2020-7493", "datePublished": "2020-06-16T19:10:35", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-08-04T09:33:19.454Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E274928-428F-4CD4-9EF6-7C499B4FBCBA", "versionEndIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*", "matchCriteriaId": "C5B39FB1-D76F-47E9-AA10-E32282202F04", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "DC9E5C58-B3D1-4871-A63D-0E48E747C610", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file."}, {"lang": "es", "value": "Una CWE-89: Una vulnerabilidad de Neutralizaci\u00f3n Inapropiada de Elementos Especiales utilizados en un Comando SQL (\"SQL Injection) en EcoStruxure Operator Terminal Expert versiones 3.1 Service Pack 1 y anteriores (anteriormente conocido como Vijeo XD) que podr\u00eda causar una ejecuci\u00f3n de c\u00f3digo malicioso cuando se abre el archivo del proyecto"}], "id": "CVE-2020-7493", "lastModified": "2020-06-17T20:15:43.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-16T20:15:14.270", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2020-133-04"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}