Sign-up

ID

VAR-202012-0101


CVE

CVE-2020-12517


TITLE

Phoenix Contact PLCnext Control Devices cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-07251 // CNNVD: CNNVD-202012-1260

DESCRIPTION

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation). Phoenix Contact PLCnext Control A cross-site scripting vulnerability exists in the device.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Phoenix Contact PLCnext Control Devices is a programmable logic controller used in industrial environments from Phoenix Contact in Germany. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2020-12517 // JVNDB: JVNDB-2020-014838 // CNVD: CNVD-2021-07251

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-07251

AFFECTED PRODUCTS

vendor:phoenixcontactmodel:plcnextscope:ltversion:2021.0

Trust: 1.0

vendor:phoenix contactmodel:plcnextscope:eqversion: -

Trust: 0.8

vendor:phoenix contactmodel:plcnextscope:eqversion:plcnext firmware 2021.0 lts

Trust: 0.8

vendor:phoenixmodel:contact phoenix contact plcnext control devices ltsscope:ltversion:2021.0

Trust: 0.6

sources: CNVD: CNVD-2021-07251 // JVNDB: JVNDB-2020-014838 // NVD: CVE-2020-12517

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-12517
value: CRITICAL

Trust: 1.0

info@cert.vde.com: CVE-2020-12517
value: HIGH

Trust: 1.0

NVD: CVE-2020-12517
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-07251
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202012-1260
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2020-12517
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-07251
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-12517
baseSeverity: CRITICAL
baseScore: 9.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.3
impactScore: 6.0
version: 3.1

Trust: 1.0

info@cert.vde.com: CVE-2020-12517
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2020-12517
baseSeverity: CRITICAL
baseScore: 9.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-07251 // JVNDB: JVNDB-2020-014838 // CNNVD: CNNVD-202012-1260 // NVD: CVE-2020-12517 // NVD: CVE-2020-12517

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-014838 // NVD: CVE-2020-12517

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-1260

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202012-1260

PATCH

title:Top Pageurl:https://www.phoenixcontact.com/

Trust: 0.8

sources: JVNDB: JVNDB-2020-014838

EXTERNAL IDS

db:NVDid:CVE-2020-12517

Trust: 3.0

db:CERT@VDEid:VDE-2020-049

Trust: 2.4

db:JVNDBid:JVNDB-2020-014838

Trust: 0.8

db:CNVDid:CNVD-2021-07251

Trust: 0.6

db:CNNVDid:CNNVD-202012-1260

Trust: 0.6

sources: CNVD: CNVD-2021-07251 // JVNDB: JVNDB-2020-014838 // CNNVD: CNNVD-202012-1260 // NVD: CVE-2020-12517

REFERENCES

url:https://cert.vde.com/en-us/advisories/vde-2020-049

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-12517

Trust: 2.0

sources: CNVD: CNVD-2021-07251 // JVNDB: JVNDB-2020-014838 // CNNVD: CNNVD-202012-1260 // NVD: CVE-2020-12517

SOURCES

db:CNVDid:CNVD-2021-07251
db:JVNDBid:JVNDB-2020-014838
db:CNNVDid:CNNVD-202012-1260
db:NVDid:CVE-2020-12517

LAST UPDATE DATE

2024-11-23T22:16:12.173000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-07251date:2021-01-28T00:00:00
db:JVNDBid:JVNDB-2020-014838date:2021-09-01T05:58:00
db:CNNVDid:CNNVD-202012-1260date:2020-12-24T00:00:00
db:NVDid:CVE-2020-12517date:2024-11-21T04:59:51.010

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-07251date:2021-01-28T00:00:00
db:JVNDBid:JVNDB-2020-014838date:2021-09-01T00:00:00
db:CNNVDid:CNNVD-202012-1260date:2020-12-17T00:00:00
db:NVDid:CVE-2020-12517date:2020-12-17T23:15:12.873