ID

VAR-202009-0304


CVE

CVE-2020-14519


TITLE

CodeMeter  Vulnerability regarding same-origin policy violation in

Trust: 0.8

sources: JVNDB: JVNDB-2020-011223

DESCRIPTION

This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515. CodeMeter Exists in a vulnerability related to same-origin policy violations.Information may be tampered with. Siemens SIMATIC WinCC OA (Open Architecture) is a set of SCADA system of Siemens (Siemens), Germany, and it is also an integral part of HMI series. The system is mainly suitable for industries such as rail transit, building automation and public power supply. Information Server is used to report and visualize the process data stored in the Process Historian. SINEC INS is a web-based application that combines various network services in one tool. Many Siemens products have security vulnerabilities. Attackers can use vulnerabilities to change or create license files

Trust: 2.16

sources: NVD: CVE-2020-14519 // JVNDB: JVNDB-2020-011223 // CNVD: CNVD-2020-51241

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-51241

AFFECTED PRODUCTS

vendor:wibumodel:codemeterscope:ltversion:7.00

Trust: 1.0

vendor:wibumodel:codemeterscope: - version: -

Trust: 0.8

vendor:wibumodel:codemeterscope:eqversion:7.00

Trust: 0.8

vendor:wibumodel:codemeterscope:eqversion: -

Trust: 0.8

vendor:siemensmodel:sinec insscope: - version: -

Trust: 0.6

vendor:siemensmodel:sinema remote connectscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // NVD: CVE-2020-14519

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-14519
value: HIGH

Trust: 1.0

NVD: CVE-2020-14519
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-51241
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202009-486
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-14519
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-51241
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-14519
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-14519
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486 // NVD: CVE-2020-14519

PROBLEMTYPE DATA

problemtype:CWE-346

Trust: 1.0

problemtype:Same-origin policy violation (CWE-346) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-011223 // NVD: CVE-2020-14519

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-486

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202009-486

PATCH

title:CodeMeterurl:https://www.wibu.com/products/codemeter.html

Trust: 0.8

title:Patch for Multiple Siemens products verification error vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/233347

Trust: 0.6

title:Wibu-Systems AG CodeMeter Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=127907

Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486

EXTERNAL IDS

db:NVDid:CVE-2020-14519

Trust: 3.8

db:ICS CERTid:ICSA-20-203-01

Trust: 2.4

db:JVNid:JVNVU90770748

Trust: 0.8

db:JVNid:JVNVU94568336

Trust: 0.8

db:JVNDBid:JVNDB-2020-011223

Trust: 0.8

db:SIEMENSid:SSA-455843

Trust: 0.6

db:CNVDid:CNVD-2020-51241

Trust: 0.6

db:AUSCERTid:ESB-2020.3076.2

Trust: 0.6

db:AUSCERTid:ESB-2020.3076.3

Trust: 0.6

db:AUSCERTid:ESB-2020.3076

Trust: 0.6

db:CS-HELPid:SB2022021806

Trust: 0.6

db:CNNVDid:CNNVD-202009-486

Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486 // NVD: CVE-2020-14519

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-14519

Trust: 1.4

url:https://jvn.jp/vu/jvnvu94568336/

Trust: 0.8

url:https://jvn.jp/vu/jvnvu90770748/

Trust: 0.8

url:https://cert-portal.siemens.com/productcert/pdf/ssa-455843.pdf

Trust: 0.6

url:https://vigilance.fr/vulnerability/siemens-simatic-six-vulnerabilities-via-wibu-systems-codemeter-runtime-33282

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022021806

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3076.2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3076.3/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3076/

Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486 // NVD: CVE-2020-14519

SOURCES

db:CNVDid:CNVD-2020-51241
db:JVNDBid:JVNDB-2020-011223
db:CNNVDid:CNNVD-202009-486
db:NVDid:CVE-2020-14519

LAST UPDATE DATE

2024-08-14T13:01:37.325000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-51241date:2020-09-10T00:00:00
db:JVNDBid:JVNDB-2020-011223date:2022-03-15T05:12:00
db:CNNVDid:CNNVD-202009-486date:2022-02-21T00:00:00
db:NVDid:CVE-2020-14519date:2020-09-22T18:07:41.903

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-51241date:2020-09-10T00:00:00
db:JVNDBid:JVNDB-2020-011223date:2021-03-24T00:00:00
db:CNNVDid:CNNVD-202009-486date:2020-09-08T00:00:00
db:NVDid:CVE-2020-14519date:2020-09-16T20:15:13.723