CVE-2020-28398 - Vulnerability Details

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The CLI feature in the web interface of affected devices is vulnerable to cross-site request forgery (CSRF). This could allow an attacker to read or modify the device configuration by tricking an authenticated legitimate user into accessing a malicious link.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Siemens	Ruggedcom Rox Mx5000 Ruggedcom Rox Mx5000re Ruggedcom Rox Rx1400 Ruggedcom Rox Rx1500 Ruggedcom Rox Rx1501 Ruggedcom Rox Rx1510 Ruggedcom Rox Rx1511 Ruggedcom Rox Rx1512 Ruggedcom Rox Rx1524 Ruggedcom Rox Rx1536 Ruggedcom Rox Rx5000

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-384652.html

History

Tue, 10 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Siemens Siemens ruggedcom Rox Mx5000 Siemens ruggedcom Rox Mx5000re Siemens ruggedcom Rox Rx1400 Siemens ruggedcom Rox Rx1500 Siemens ruggedcom Rox Rx1501 Siemens ruggedcom Rox Rx1510 Siemens ruggedcom Rox Rx1511 Siemens ruggedcom Rox Rx1512 Siemens ruggedcom Rox Rx1524 Siemens ruggedcom Rox Rx1536 Siemens ruggedcom Rox Rx5000
CPEs		cpe:2.3:h:siemens:ruggedcom_rox_mx5000:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_mx5000re:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1400:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1500:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1501:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1510:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1511:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1512:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1524:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx1536:-:::::::* cpe:2.3:h:siemens:ruggedcom_rox_rx5000:-:::::::*
Vendors & Products		Siemens Siemens ruggedcom Rox Mx5000 Siemens ruggedcom Rox Mx5000re Siemens ruggedcom Rox Rx1400 Siemens ruggedcom Rox Rx1500 Siemens ruggedcom Rox Rx1501 Siemens ruggedcom Rox Rx1510 Siemens ruggedcom Rox Rx1511 Siemens ruggedcom Rox Rx1512 Siemens ruggedcom Rox Rx1524 Siemens ruggedcom Rox Rx1536 Siemens ruggedcom Rox Rx5000
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Dec 2024 14:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The CLI feature in the web interface of affected devices is vulnerable to cross-site request forgery (CSRF). This could allow an attacker to read or modify the device configuration by tricking an authenticated legitimate user into accessing a malicious link.
Weaknesses		CWE-352
References		https://cert-portal.siemens.com/productcert/html/ssa-384652.html
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2024-12-10T13:53:19.090Z

Updated: 2024-12-10T15:28:51.944Z

Reserved: 2020-11-10T00:00:00.000Z

Link: CVE-2020-28398

Vulnrichment

Updated: 2024-12-10T15:28:43.916Z

NVD

Status : Received

Published: 2024-12-10T14:15:18.320

Modified: 2024-12-10T14:15:18.320

Link: CVE-2020-28398

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object