CVE-2020-11999 Information

Description

FactoryTalk Linx versions 6.00 6.10 and 6.11 RSLinx Classic v4.11.00 and priorConnected Components Workbench: Version 12 and prior ControlFLASH: Version 14 and later ControlFLASH Plus: Version 1 and later FactoryTalk Asset Centre: Version 9 and later FactoryTalk Linx CommDTM: Version 1 and later Studio 5000 Launcher: Version 31 and later Stud 5000 Logix Designer software: Version 32 and prior is vulnerable. An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Reference

https://www.us-cert.gov/ics/advisories/icsa-20-163-02

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1