CVE-2020-7005 HIGH

Published: 2020-03-24 | Last Modified: 2024-11-21 | Status: Modified

Description

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code.

Additional Descriptions (1)

En Honeywell WIN-PAK versión 4.7.2, Web y versiones anteriores, el producto afectado es vulnerable a un ataque de tipo cross-site request forgery, lo que puede permitir a un atacante ejecutar código arbitrario remotamente.

CVSS Metrics

Base Score: 8.8 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	REQUIRED
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 2.8

Impact Score: 5.9

Base Score: 6.8 (MEDIUM)

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector	NETWORK
Access Complexity	MEDIUM
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 8.6

Impact Score: 6.4

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-352
[email protected]	Primary	en CWE-352

Affected Products

Vendor	Product	Version	Update	Type
honeywell	win-pak	*	<built-in method update of dict object at 0x7c3bf3e4cc00>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:honeywell:win-pak::::::::`

References

https://www.us-cert.gov/ics/advisories/icsa-20-056-05
Source: [email protected]

Third Party Advisory US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-056-05
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory US Government Resource