Vulnerability Details : CVE-2020-7520
A CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability exists in Schneider Electric Software Update (SESU), V2.4.0 and prior, which could cause execution of malicious code on the victim's machine. In order to exploit this vulnerability, an attacker requires privileged access on the engineering workstation to modify a Windows registry key which would divert all traffic updates to go through a server in the attacker's possession. A man-in-the-middle attack is then used to complete the exploit.
Vulnerability category: Open redirect
Products affected by CVE-2020-7520
- cpe:2.3:a:schneider-electric:software_update_utility:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-7520
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-7520
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:N |
4.9
|
4.9
|
NIST | |
|
4.7
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
1.6
|
2.7
|
NIST |
CWE ids for CVE-2020-7520
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by:
- cybersecurity@se.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2020-7520
-
https://www.se.com/ww/en/download/document/SEVD-2020-196-01/
Security Notification– Schneider Electric Software Update (SESU) | Schneider ElectricPatch;Vendor Advisory
Jump to