Vulnerability Details : CVE-2020-8477
The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-8477
- ABB » 800xa Information ManagerVersions from including (>=) 6.0.0 and up to, including, (<=) 6.0.3.2cpe:2.3:a:abb:800xa_information_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:abb:800xa_information_manager:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:abb:800xa_information_manager:6.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-8477
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8477
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Asea Brown Boveri Ltd. (ABB) | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2020-8477
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- cybersecurity@ch.abb.com (Secondary)
- nvd@nist.gov (Primary)
-
The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Assigned by: cybersecurity@ch.abb.com (Secondary)
References for CVE-2020-8477
Jump to