CVE-2020-7480 : A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerabilit

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data.

Published 2020-03-23 20:15:13

Updated 2020-03-25 14:46:08

Source Schneider Electric SE

View at NVD, CVE.org

Products affected by CVE-2020-7480

Schneider-electric » Andover Continuum 9680 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9680_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9680 » Version: N/A
Schneider-electric » Andover Continuum 5740 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_5740_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 5740 » Version: N/A
Schneider-electric » Andover Continuum 5720 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_5720_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 5720 » Version: N/A
Schneider-electric » Andover Continuum Bcx4040 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_bcx4040_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum Bcx4040 » Version: N/A
Schneider-electric » Andover Continuum Bcx9640 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_bcx9640_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum Bcx9640 » Version: N/A
Schneider-electric » Andover Continuum 9900 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9900_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9900 » Version: N/A
Schneider-electric » Andover Continuum 9940 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9940_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9940 » Version: N/A
Schneider-electric » Andover Continuum 9941 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9941_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9941 » Version: N/A
Schneider-electric » Andover Continuum 9924 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9924_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9924 » Version: N/A
Schneider-electric » Andover Continuum 9702 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9702_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9702 » Version: N/A
Schneider-electric » Andover Continuum 9200 Firmware
cpe:2.3:o:schneider-electric:andover_continuum_9200_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Schneider-electric » Andover Continuum 9200 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-7480

EPSS FAQ

0.57%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7480

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-7480

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Assigned by:
- cybersecurity@se.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2020-7480

https://www.se.com/ww/en/download/document/SEVD-2020-070-04/

Security Notification - Andover Continuum Line of Controllers | Schneider Electric
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-7480

Products affected by CVE-2020-7480

Exploit prediction scoring system (EPSS) score for CVE-2020-7480

CVSS scores for CVE-2020-7480

CWE ids for CVE-2020-7480

References for CVE-2020-7480