Details of VAR-202012-1391

ID

VAR-202012-1391

CVE

CVE-2020-7540

TITLE

plural Schneider Electric Vulnerability in lack of authentication for critical features in the product

Trust: 0.8

sources: JVNDB: JVNDB-2020-014331

DESCRIPTION

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause unauthenticated command execution in the controller when sending special HTTP requests. plural Schneider Electric The product is vulnerable to a lack of authentication for critical features.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Trust: 1.71

sources: NVD: CVE-2020-7540 // JVNDB: JVNDB-2020-014331 // VULMON: CVE-2020-7540

AFFECTED PRODUCTS

vendor:	schneider electric	model:	140noe77111	scope:	lt	version:	7.1	Trust: 1.0
vendor:	schneider electric	model:	140cpu65150	scope:	lt	version:	6.1	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp3420102	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	140noc77101	scope:	lt	version:	1.08	Trust: 1.0
vendor:	schneider electric	model:	bmxnoe0110	scope:	lt	version:	6.5	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp3420302	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342020	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp341000	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	tsxp575634	scope:	lt	version:	6.1	Trust: 1.0
vendor:	schneider electric	model:	140noe77101	scope:	lt	version:	7.1	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342000	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	140noc78000	scope:	lt	version:	1.74	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp3420102cl	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	bmxnoe0100	scope:	lt	version:	3.3	Trust: 1.0
vendor:	schneider electric	model:	tsxety5103	scope:	lt	version:	6.4	Trust: 1.0
vendor:	schneider electric	model:	140noc78100	scope:	lt	version:	1.74	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp3420302cl	scope:	lt	version:	3.30	Trust: 1.0
vendor:	schneider electric	model:	tsxety4103	scope:	lt	version:	6.2	Trust: 1.0
vendor:	schneider electric	model:	tsxp576634	scope:	lt	version:	6.1	Trust: 1.0
vendor:	schneider electric	model:	bmxnoc0401	scope:	lt	version:	2.10	Trust: 1.0
vendor:	schneider electric	model:	bmxnor200h	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	tsxp574634	scope:	lt	version:	6.1	Trust: 1.0
vendor:	schneider electric	model:	140cpu65160	scope:	lt	version:	6.1	Trust: 1.0
vendor:	schneider electric	model:	140noe 77101	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxnoe0110	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp3420102	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp3420302cl	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp3420102cl	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp342020	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp342000	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp341000	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp3420302	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxnoe0100	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-014331 // NVD: CVE-2020-7540

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-7540
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-7540
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202012-938
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2020-7540
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-7540
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2020-7540
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-7540
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2020-7540 // JVNDB: JVNDB-2020-014331 // CNNVD: CNNVD-202012-938 // NVD: CVE-2020-7540

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for important features (CWE-306) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014331 // NVD: CVE-2020-7540

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-938

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202012-938

PATCH

title:

SEVD-2020-343-04

url:

https://www.se.com/ww/en/download/document/SEVD-2020-343-04/

Trust: 0.8

sources: JVNDB: JVNDB-2020-014331

EXTERNAL IDS

db:	NVD	id:	CVE-2020-7540	Trust: 2.5
db:	SCHNEIDER	id:	SEVD-2020-343-04	Trust: 1.7
db:	JVNDB	id:	JVNDB-2020-014331	Trust: 0.8
db:	CNNVD	id:	CNNVD-202012-938	Trust: 0.6
db:	VULMON	id:	CVE-2020-7540	Trust: 0.1

sources: VULMON: CVE-2020-7540 // JVNDB: JVNDB-2020-014331 // CNNVD: CNNVD-202012-938 // NVD: CVE-2020-7540

REFERENCES

url:	https://www.se.com/ww/en/download/document/sevd-2020-343-04/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-7540	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2020-7540 // JVNDB: JVNDB-2020-014331 // CNNVD: CNNVD-202012-938 // NVD: CVE-2020-7540

SOURCES

db:	VULMON	id:	CVE-2020-7540
db:	JVNDB	id:	JVNDB-2020-014331
db:	CNNVD	id:	CNNVD-202012-938
db:	NVD	id:	CVE-2020-7540

LAST UPDATE DATE

2024-11-23T21:58:51.328000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-7540	date:	2020-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-014331	date:	2021-08-13T08:51:00
db:	CNNVD	id:	CNNVD-202012-938	date:	2020-12-16T00:00:00
db:	NVD	id:	CVE-2020-7540	date:	2024-11-21T05:37:20.573

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-7540	date:	2020-12-11T00:00:00
db:	JVNDB	id:	JVNDB-2020-014331	date:	2021-08-13T00:00:00
db:	CNNVD	id:	CNNVD-202012-938	date:	2020-12-11T00:00:00
db:	NVD	id:	CVE-2020-7540	date:	2020-12-11T01:15:12.377