RSS   Vulnerabilities for 'Symphony plus operations'   RSS

2020-12-22
 
CVE-2020-24683

CWE-669
 

 
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.

 
 
CVE-2020-24680

CWE-522
 

 
In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database.

 
 
CVE-2020-24679

CWE-20
 

 
A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted.

 
 
CVE-2020-24678

CWE-269
 

 
An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges.

 
 
CVE-2020-24677

CWE-754
 

 
Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data.

 
 
CVE-2020-24675

CWE-287
 

 
In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process.

 
 
CVE-2020-24674

CWE-863
 

 
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.

 
 
CVE-2020-24673

CWE-89
 

 
In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability.

 

 >>> Vendor: ABB 65 Products
Pcu400
Interlink module
Irc5 opc server
Pc sdk
Pickmaster 3
Pickmaster 5
Robot communications runtime
Robotstudio
Robview 5
Webware sdk
Webware server
S4 opc server
Quickteach
Robotstudio s4
Robotstudio lite
Datamanager
Test signal viewer
Panel builder 800
Pcm600
Vsn300 firmware
Vsn300 for react firmware
Fox515t firmware
Netcadops
Sys600 firmware
Srea-01 firmware
Srea-50 firmware
Ip gateway firmware
Esoms
Gate-e1 firmware
Gate-e2 firmware
Cms-770 firmware
Cp400pb firmware
Eth-fw firmware
Fw firmware
Pm554-tp-eth firmware
Cp620-web firmware
Cp620 firmware
Cp630-web firmware
Cp630 firmware
Cp635-b firmware
Cp635-web firmware
Cp635 firmware
Cp651-web firmware
Cp651 firmware
Cp661-web firmware
Cp661 firmware
Cp665-web firmware
Cp665 firmware
Cp676-web firmware
Cp676 firmware
Plant connect
Power generation information manager
Pb610 panel builder 600
Asset suite
800xa base system
800xa information manager
Device library wizard
Symphony \+ historian
Symphony \+ operations
Symphony plus historian
Symphony plus operations
Base software
Update manager
Opc server for ac 800m
Ellipse enterprise asset management


Copyright 2024, cxsecurity.com

 

Back to Top