Vulnerabilites related to siemens - desigo_insight
CVE-2020-15793 (GCVE-0-2020-15793)
Vulnerability from cvelistv5
Published
2020-10-15 18:45
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Summary
A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens | Desigo Insight |
Version: All versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Desigo Insight",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:10:13",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2020-15793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Desigo Insight",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2020-15793",
"datePublished": "2020-10-15T18:45:33",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15794 (GCVE-0-2020-15794)
Vulnerability from cvelistv5
Published
2020-10-15 18:45
Modified
2024-08-04 13:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens | Desigo Insight |
Version: All versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:21.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Desigo Insight",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:10:33",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2020-15794",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Desigo Insight",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2020-15794",
"datePublished": "2020-10-15T18:45:34",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:30:21.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15792 (GCVE-0-2020-15792)
Vulnerability from cvelistv5
Published
2020-10-15 18:45
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens | Desigo Insight |
Version: All versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Desigo Insight",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:09:55",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2020-15792",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Desigo Insight",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2020-15792",
"datePublished": "2020-10-15T18:45:33",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-10-15 19:15
Modified
2024-11-21 05:06
Severity ?
Summary
A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf | Vendor Advisory | |
| productcert@siemens.com | https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| siemens | desigo_insight | * | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27709FE3-EF7E-408D-9478-913FB2635E0C",
"versionEndExcluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA232A84-E145-4E19-A093-1D77372B4B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp2:*:*:*:*:*:*",
"matchCriteriaId": "45B6C775-F19C-4610-B7C0-337C61EB2700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp3:*:*:*:*:*:*",
"matchCriteriaId": "2D77488A-8820-4350-980E-A09CBFEC6F97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp5:*:*:*:*:*:*",
"matchCriteriaId": "D97D5112-D3BD-4EFA-90C3-CC00DEADFF78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en Desigo Insight (todas las versiones).\u0026#xa0;El servicio web no aplica apropiadamente la comprobaci\u00f3n de entrada para algunos par\u00e1metros de consulta en un \u00e1rea reservada.\u0026#xa0;Esto podr\u00eda permitir a un atacante autenticado recuperar datos por medio de un ataque de inyecci\u00f3n SQL ciego basado en contenido"
}
],
"id": "CVE-2020-15792",
"lastModified": "2024-11-21T05:06:11.397",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-15T19:15:12.767",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-15 19:15
Modified
2024-11-21 05:06
Severity ?
Summary
A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf | Vendor Advisory | |
| productcert@siemens.com | https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| siemens | desigo_insight | * | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27709FE3-EF7E-408D-9478-913FB2635E0C",
"versionEndExcluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA232A84-E145-4E19-A093-1D77372B4B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp2:*:*:*:*:*:*",
"matchCriteriaId": "45B6C775-F19C-4610-B7C0-337C61EB2700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp3:*:*:*:*:*:*",
"matchCriteriaId": "2D77488A-8820-4350-980E-A09CBFEC6F97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp5:*:*:*:*:*:*",
"matchCriteriaId": "D97D5112-D3BD-4EFA-90C3-CC00DEADFF78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en Desigo Insight (todas las versiones).\u0026#xa0;Algunos mensajes de error en la aplicaci\u00f3n web muestran la ruta absoluta al recurso requerido.\u0026#xa0;Esto podr\u00eda permitir a un atacante autenticado recuperar informaci\u00f3n adicional sobre el sistema host"
}
],
"id": "CVE-2020-15794",
"lastModified": "2024-11-21T05:06:11.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-15T19:15:12.923",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-15 19:15
Modified
2024-11-21 05:06
Severity ?
Summary
A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| siemens | desigo_insight | * | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 | |
| siemens | desigo_insight | 6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27709FE3-EF7E-408D-9478-913FB2635E0C",
"versionEndExcluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA232A84-E145-4E19-A093-1D77372B4B7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp2:*:*:*:*:*:*",
"matchCriteriaId": "45B6C775-F19C-4610-B7C0-337C61EB2700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp3:*:*:*:*:*:*",
"matchCriteriaId": "2D77488A-8820-4350-980E-A09CBFEC6F97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:siemens:desigo_insight:6.0:sp5:*:*:*:*:*:*",
"matchCriteriaId": "D97D5112-D3BD-4EFA-90C3-CC00DEADFF78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en Desigo Insight (todas las versiones).\u0026#xa0;El dispositivo no establece apropiadamente el encabezado HTTP X-Frame-Options, que lo hace vulnerable a ataques de tipo Clickjacking.\u0026#xa0;Esto podr\u00eda permitir a un atacante no autenticado recuperar o modificar datos en el contexto de un usuario leg\u00edtimo enga\u00f1ando a ese usuario para que haga clic en un sitio web controlado por el atacante"
}
],
"id": "CVE-2020-15793",
"lastModified": "2024-11-21T05:06:11.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-15T19:15:12.847",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
}
]
}