CVE-2020-28221

A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.

CVSS v3 9.8 CRITICAL
CVSS v2.0 9.3 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2021-012-01/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:::::::*
	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1a::::::

OR	cpe:2.3:h:schneider-electric:hmi_sto_501:-:::::::*
	cpe:2.3:h:schneider-electric:hmi_sto_511:-:::::::*
	cpe:2.3:h:schneider-electric:hmi_sto_512:-:::::::*
	cpe:2.3:h:schneider-electric:hmi_sto_531:-:::::::*
	cpe:2.3:h:schneider-electric:hmi_sto_532:-:::::::*
	cpe:2.3:h:schneider-electric:hmig3u:-:::::::*
	cpe:2.3:h:schneider-electric:hmig3x:-:::::::*
	cpe:2.3:h:schneider-electric:hmig5u:-:::::::*
	cpe:2.3:h:schneider-electric:hmig5u2:-:::::::*
	cpe:2.3:h:schneider-electric:hmist6200:-:::::::*
	cpe:2.3:h:schneider-electric:hmist6400:-:::::::*
	cpe:2.3:h:schneider-electric:hmist6500:-:::::::*
	cpe:2.3:h:schneider-electric:hmist6600:-:::::::*
	cpe:2.3:h:schneider-electric:hmist6700:-:::::::*

Configuration 2 (hide)

AND

OR	cpe:2.3:a:schneider-electric:pro-face_blue:3.1:::::::*
	cpe:2.3:a:schneider-electric:pro-face_blue:3.1:sp1a::::::

OR	cpe:2.3:h:schneider-electric:gp-4104g:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4104w:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4105g:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4105w:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4106g:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4106w:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4107g:-:::::::*
	cpe:2.3:h:schneider-electric:gp-4107w:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5400wa:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5500tp:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5500wa:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5600ta:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5600tp:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5600wa:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5660tp:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5700tp:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5700wc:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5800wc:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5b00:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5b10:-:::::::*
	cpe:2.3:h:schneider-electric:sp-5b41:-:::::::*
	cpe:2.3:h:schneider-electric:st-6200wa:-:::::::*
	cpe:2.3:h:schneider-electric:st-6400wa:-:::::::*
	cpe:2.3:h:schneider-electric:st-6500wa:-:::::::*
	cpe:2.3:h:schneider-electric:st-6600wa:-:::::::*
	cpe:2.3:h:schneider-electric:st-6700wa:-:::::::*

History

No history.

Information

Published : 2021-01-26 18:15

Updated : 2024-02-04 21:23

NVD link : CVE-2020-28221

Mitre link : CVE-2020-28221

CVE.ORG link : CVE-2020-28221

JSON object : View

Products Affected

schneider-electric

hmig3x
gp-4104g
hmi_sto_532
sp-5660tp
gp-4107g
hmi_sto_501
st-6600wa
hmig3u
hmig5u2
sp-5b41
st-6200wa
ecostruxure_operator_terminal_expert
pro-face_blue
sp-5500tp
hmig5u
hmist6200
gp-4105w
sp-5600ta
st-6400wa
hmist6500
hmist6600
sp-5600tp
st-6500wa
sp-5800wc
gp-4104w
gp-4107w
sp-5600wa
sp-5b00
gp-4105g
hmi_sto_511
hmist6400
sp-5b10
hmi_sto_531
sp-5700wc
st-6700wa
sp-5500wa
gp-4106w
sp-5400wa
hmist6700
sp-5700tp
hmi_sto_512
gp-4106g

CWE

CWE-20

Improper Input Validation

9.8 /10