Sign-up

ID

VAR-202007-0396


CVE

CVE-2020-14499


TITLE

Advantech iView  Vulnerability regarding inadequate protection of credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008132

DESCRIPTION

Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials. Advantech iView Exists in an inadequate protection of credentials.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the UserServlet class

Trust: 2.34

sources: NVD: CVE-2020-14499 // JVNDB: JVNDB-2020-008132 // ZDI: ZDI-20-867 // VULHUB: VHN-167383

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope:lteversion:5.6

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:lteversion:5.6

Trust: 0.8

vendor:advantechmodel:iviewscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-20-867 // JVNDB: JVNDB-2020-008132 // NVD: CVE-2020-14499

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-14499
value: HIGH

Trust: 1.0

NVD: CVE-2020-14499
value: HIGH

Trust: 0.8

ZDI: CVE-2020-14499
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202007-951
value: HIGH

Trust: 0.6

VULHUB: VHN-167383
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-14499
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-167383
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-14499
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-14499
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-14499
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-867 // VULHUB: VHN-167383 // JVNDB: JVNDB-2020-008132 // CNNVD: CNNVD-202007-951 // NVD: CVE-2020-14499

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-284

Trust: 1.0

problemtype:Inadequate protection of credentials (CWE-522) [NVD Evaluation ]

Trust: 0.8

problemtype:CWE-522

Trust: 0.1

sources: VULHUB: VHN-167383 // JVNDB: JVNDB-2020-008132 // NVD: CVE-2020-14499

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-951

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-951

PATCH

title:Top Pageurl:https://www.advantech.co.jp/

Trust: 0.8

title:Advantech has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33

Trust: 0.7

title:Advantech iView Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124486

Trust: 0.6

sources: ZDI: ZDI-20-867 // JVNDB: JVNDB-2020-008132 // CNNVD: CNNVD-202007-951

EXTERNAL IDS

db:NVDid:CVE-2020-14499

Trust: 3.2

db:ICS CERTid:ICSA-20-196-01

Trust: 2.5

db:ZDIid:ZDI-20-867

Trust: 2.4

db:JVNid:JVNVU95694616

Trust: 0.8

db:JVNDBid:JVNDB-2020-008132

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-10701

Trust: 0.7

db:CNNVDid:CNNVD-202007-951

Trust: 0.7

db:NSFOCUSid:47215

Trust: 0.6

db:AUSCERTid:ESB-2020.2382

Trust: 0.6

db:CNVDid:CNVD-2020-57118

Trust: 0.1

db:VULHUBid:VHN-167383

Trust: 0.1

sources: ZDI: ZDI-20-867 // VULHUB: VHN-167383 // JVNDB: JVNDB-2020-008132 // CNNVD: CNNVD-202007-951 // NVD: CVE-2020-14499

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01

Trust: 2.3

url:https://www.zerodayinitiative.com/advisories/zdi-20-867/

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-14499

Trust: 1.4

url:https://jvn.jp/vu/jvnvu95694616/

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01¥

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33

Trust: 0.7

url:http://www.nsfocus.net/vulndb/47215

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2382/

Trust: 0.6

sources: ZDI: ZDI-20-867 // VULHUB: VHN-167383 // JVNDB: JVNDB-2020-008132 // CNNVD: CNNVD-202007-951 // NVD: CVE-2020-14499

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-20-867

SOURCES

db:ZDIid:ZDI-20-867
db:VULHUBid:VHN-167383
db:JVNDBid:JVNDB-2020-008132
db:CNNVDid:CNNVD-202007-951
db:NVDid:CVE-2020-14499

LAST UPDATE DATE

2024-08-14T14:03:38.915000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-20-867date:2020-07-16T00:00:00
db:VULHUBid:VHN-167383date:2021-09-23T00:00:00
db:JVNDBid:JVNDB-2020-008132date:2020-09-03T00:00:00
db:CNNVDid:CNNVD-202007-951date:2021-09-24T00:00:00
db:NVDid:CVE-2020-14499date:2021-09-23T13:33:31.623

SOURCES RELEASE DATE

db:ZDIid:ZDI-20-867date:2020-07-16T00:00:00
db:VULHUBid:VHN-167383date:2020-07-15T00:00:00
db:JVNDBid:JVNDB-2020-008132date:2020-09-03T00:00:00
db:CNNVDid:CNNVD-202007-951date:2020-07-14T00:00:00
db:NVDid:CVE-2020-14499date:2020-07-15T03:15:50.513