Vulnerabilites related to abb - symphony_\+_operations
CVE-2020-24675 (GCVE-0-2020-24675)
Vulnerability from cvelistv5
Published
2020-12-22 21:22
Modified
2024-09-16 22:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:08.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:22:05",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Weak Authentication in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24675",
"STATE": "PUBLIC",
"TITLE": "Weak Authentication in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24675",
"datePublished": "2020-12-22T21:22:05.808039Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-16T22:36:05.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24673 (GCVE-0-2020-24673)
Vulnerability from cvelistv5
Published
2020-12-22 21:21
Modified
2024-09-16 16:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:08.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:21:10",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "SQL Injection in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24673",
"STATE": "PUBLIC",
"TITLE": "SQL Injection in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24673",
"datePublished": "2020-12-22T21:21:10.907659Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-16T16:23:58.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24677 (GCVE-0-2020-24677)
Vulnerability from cvelistv5
Published
2020-12-22 21:16
Modified
2024-09-17 04:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:16:37",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Insecure Web Service in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24677",
"STATE": "PUBLIC",
"TITLE": "Insecure Web Service in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24677",
"datePublished": "2020-12-22T21:16:37.411681Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-17T04:00:06.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24680 (GCVE-0-2020-24680)
Vulnerability from cvelistv5
Published
2020-12-22 21:18
Modified
2024-09-17 01:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-255 - Credentials Management
Summary
In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-255",
"description": "CWE-255 Credentials Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:18:37",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Improper Credential Storage in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24680",
"STATE": "PUBLIC",
"TITLE": "Improper Credential Storage in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-255 Credentials Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24680",
"datePublished": "2020-12-22T21:18:37.038625Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-17T01:51:49.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24679 (GCVE-0-2020-24679)
Vulnerability from cvelistv5
Published
2020-12-22 21:17
Modified
2024-09-17 01:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:17:12",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Denial of Service attack on Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24679",
"STATE": "PUBLIC",
"TITLE": "Denial of Service attack on Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24679",
"datePublished": "2020-12-22T21:17:12.753491Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-17T01:20:53.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24674 (GCVE-0-2020-24674)
Vulnerability from cvelistv5
Published
2020-12-22 21:20
Modified
2024-09-16 16:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:08.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:20:16",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Improper Authorization in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24674",
"STATE": "PUBLIC",
"TITLE": "Improper Authorization in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24674",
"datePublished": "2020-12-22T21:20:16.269133Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-16T16:54:08.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24676 (GCVE-0-2020-24676)
Vulnerability from cvelistv5
Published
2020-12-22 21:15
Modified
2024-09-16 21:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-274 - Improper Handling of Insufficient Privileges
Summary
In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-274",
"description": "CWE-274 Improper Handling of Insufficient Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:15:22",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Insecure Windows Services in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24676",
"STATE": "PUBLIC",
"TITLE": "Insecure Windows Services in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-274 Improper Handling of Insufficient Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24676",
"datePublished": "2020-12-22T21:15:22.929934Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-16T21:57:54.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24678 (GCVE-0-2020-24678)
Vulnerability from cvelistv5
Published
2020-12-22 21:13
Modified
2024-09-17 02:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 3.3 Service Pack 1 Version: unspecified < 2.1 SP2 Rollup 2 Version: unspecified < 2.2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.3 Service Pack 1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.1 SP2 Rollup 2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"vendor": "ABB",
"versions": [
{
"lessThan": "3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:13:13",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Potential Privilege Escalation in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24678",
"STATE": "PUBLIC",
"TITLE": "Potential Privilege Escalation in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3 Service Pack 1"
},
{
"version_affected": "\u003c",
"version_value": "2.1 SP2 Rollup 2"
},
{
"version_affected": "\u003c",
"version_value": "2.2"
}
]
}
},
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24678",
"datePublished": "2020-12-22T21:13:13.833879Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-17T02:51:56.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24683 (GCVE-0-2020-24683)
Vulnerability from cvelistv5
Published
2020-12-22 21:19
Modified
2024-09-17 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ABB | ABB Ability™ Symphony® Plus Operations |
Version: unspecified < 2.1 SP1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"vendor": "ABB",
"versions": [
{
"lessThan": "2.1 SP1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602 Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-22T21:19:10",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
},
"title": "Authentication Bypass in Symphony Plus",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"DATE_PUBLIC": "2020-12-15T13:10:00.000Z",
"ID": "CVE-2020-24683",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass in Symphony Plus"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.1 SP1"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-602 Client-Side Enforcement of Server-Side Security"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-305 Authentication Bypass by Primary Weakness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "MISC",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"advisory": "2PAA123980, 2PAA123982",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-24683",
"datePublished": "2020-12-22T21:19:10.709309Z",
"dateReserved": "2020-08-26T00:00:00",
"dateUpdated": "2024-09-17T01:36:41.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted."
},
{
"lang": "es",
"value": "Un servicio S+ Operations y S+ Historian, est\u00e1 sujeto a una DoS mediante mensajes especiales dise\u00f1ados.\u0026#xa0;Un atacante podr\u00eda usar este fallo para hacer que se bloquee o incluso ejecutar c\u00f3digo arbitrario en la m\u00e1quina donde est\u00e1 alojado el servicio"
}
],
"id": "CVE-2020-24679",
"lastModified": "2024-11-21T05:15:43.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.583",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application."
},
{
"lang": "es",
"value": "Las versiones afectadas de S+ Operations (versi\u00f3n 2.1 SP1 y anteriores) utilizaron un enfoque para la autenticaci\u00f3n de usuarios que se basa en la comprobaci\u00f3n en el nodo del cliente (autenticaci\u00f3n del lado del cliente).\u0026#xa0;Esto no es tan seguro como hacer que el servidor valide una aplicaci\u00f3n cliente antes de permitir una conexi\u00f3n.\u0026#xa0;Por lo tanto, si la comunicaci\u00f3n de red o los endpoints para estas aplicaciones no est\u00e1n protegidas, los actores no autorizados pueden omitir la autenticaci\u00f3n y llevar a cabo conexiones no autorizadas hacia la aplicaci\u00f3n del servidor"
}
],
"id": "CVE-2020-24683",
"lastModified": "2024-11-21T05:15:46.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.757",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-305"
},
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-669"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability."
},
{
"lang": "es",
"value": "En S+ Operations y S+ Historian, una explotaci\u00f3n de inyecci\u00f3n SQL con \u00e9xito puede leer datos confidenciales de la base de datos, modificar los datos de la base de datos (Insertar/Actualizar/Eliminar), ejecutar operaciones de administraci\u00f3n en la base de datos (como apagar el DBMS), recuperar el contenido de un archivo dado presente en el sistema de archivos DBMS y, en algunos casos, emitir comandos en el sistema operativo.\u0026#xa0;Esto puede conllevar a una p\u00e9rdida de confidencialidad e integridad de los datos o incluso afectar el comportamiento del producto y su disponibilidad"
}
],
"id": "CVE-2020-24673",
"lastModified": "2024-11-21T05:15:38.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.053",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges."
},
{
"lang": "es",
"value": "Un usuario autenticado puede ejecutar c\u00f3digo malicioso en el contexto del usuario y tomar el control del sistema.\u0026#xa0;La base de datos de S+ Operations o S??+ Historian est\u00e1 afectada por m\u00faltiples vulnerabilidades, como la posibilidad de permitir que los usuarios autenticados remotos obtengan altos privilegios"
}
],
"id": "CVE-2020-24678",
"lastModified": "2024-11-21T05:15:42.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.507",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data."
},
{
"lang": "es",
"value": "Las vulnerabilidades en las aplicaciones web S+ Operations y S+ Historian, pueden conducir a una posible ejecuci\u00f3n de c\u00f3digo y escalada de privilegios, un redireccionamiento del usuario a otro lugar o una descarga de datos no deseados"
}
],
"id": "CVE-2020-24677",
"lastModified": "2024-11-21T05:15:42.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.413",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines."
},
{
"lang": "es",
"value": "En S+ Operations y S+ Historian, no todos los comandos del cliente comprueban correctamente los permisos del usuario como se esperaba.\u0026#xa0;Los usuarios remotos autenticados pero no autorizados podr\u00edan ejecutar un ataque de denegaci\u00f3n de servicio (DoS), ejecutar c\u00f3digo arbitrario u obtener m\u00e1s privilegios de los previstos en las m\u00e1quinas"
}
],
"id": "CVE-2020-24674",
"lastModified": "2024-11-21T05:15:41.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.147",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process."
},
{
"lang": "es",
"value": "En S+ Operations y S+ History, es posible que un usuario no autenticado pueda inyectar valores al servidor Operations History (o al servidor S+ History dedicado) y finalmente escribir valores en el proceso controlado"
}
],
"id": "CVE-2020-24675",
"lastModified": "2024-11-21T05:15:41.707",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.257",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as."
},
{
"lang": "es",
"value": "En Symphony Plus Operations y Symphony Plus Historian, algunos servicios pueden ser vulnerables a ataques de escalada de privilegios.\u0026#xa0;Un usuario sin privilegios (pero autenticado) podr\u00eda ejecutar c\u00f3digo arbitrario y resultar en una escalada de privilegios, dependiendo del usuario con el que se ejecuta el servicio"
}
],
"id": "CVE-2020-24676",
"lastModified": "2024-11-21T05:15:42.043",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.333",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-274"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-22 22:15
Modified
2024-11-21 05:15
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| abb | symphony_\+_historian | 3.0 | |
| abb | symphony_\+_historian | 3.1 | |
| abb | symphony_\+_operations | 1.1 | |
| abb | symphony_\+_operations | 2.0 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 2.1 | |
| abb | symphony_\+_operations | 3.0 | |
| abb | symphony_\+_operations | 3.1 | |
| abb | symphony_\+_operations | 3.2 | |
| abb | symphony_\+_operations | 3.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*",
"matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*",
"matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database."
},
{
"lang": "es",
"value": "En S+ Operations y S+ Historian, las contrase\u00f1as de los usuarios internos (no usuarios de Windows) est\u00e1n cifradas pero almacenadas incorrectamente en una base de datos"
}
],
"id": "CVE-2020-24680",
"lastModified": "2024-11-21T05:15:44.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-22T22:15:13.647",
"references": [
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@ch.abb.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@ch.abb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "cybersecurity@ch.abb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}