Sign-up

ID

VAR-202003-1440


CVE

CVE-2020-7474


TITLE

ProSoft Configurator Vulnerability in uncontrolled search path elements in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003192

DESCRIPTION

A CWE-427: Uncontrolled Search Path Element vulnerability exists in ProSoft Configurator (v1.002 and prior), for the PMEPXM0100 (H) module, which could cause the execution of untrusted code when using double click to open a project file which may trigger execution of a malicious DLL. ProSoft Configurator There is a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Schneider Electric ProSoft Configurator is a configuration manager for logic controllers of Schneider Electric in France. Schneider Electric ProSoft Configurator v1.002 and previous versions (for Modicon PMEPXM0100(H) module) have code issue vulnerabilities. Attackers can use this vulnerability to execute untrusted code

Trust: 2.25

sources: NVD: CVE-2020-7474 // JVNDB: JVNDB-2020-003192 // CNVD: CNVD-2020-20724 // VULMON: CVE-2020-7474

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-20724

AFFECTED PRODUCTS

vendor:schneider electricmodel:pmepxm0100 prosoft configuratorscope:lteversion:1.002

Trust: 1.0

vendor:schneider electricmodel:pmepxm0100 prosoft configuratorscope:eqversion:1.002

Trust: 0.8

vendor:schneidermodel:electric prosoft configuratorscope:lteversion:<=v1.002

Trust: 0.6

sources: CNVD: CNVD-2020-20724 // JVNDB: JVNDB-2020-003192 // NVD: CVE-2020-7474

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-7474
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-003192
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-20724
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202003-1329
value: HIGH

Trust: 0.6

VULMON: CVE-2020-7474
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-7474
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-003192
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-20724
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-7474
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003192
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-20724 // VULMON: CVE-2020-7474 // JVNDB: JVNDB-2020-003192 // CNNVD: CNNVD-202003-1329 // NVD: CVE-2020-7474

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.8

sources: JVNDB: JVNDB-2020-003192 // NVD: CVE-2020-7474

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202003-1329

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202003-1329

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003192

PATCH
title:SEVD-2020-042-01url:https://www.se.com/ww/en/download/document/SEVD-2020-042-01/
Trust: 0.8
title:Patch for Schneider Electric ProSoft Configurator code issue vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/211967
Trust: 0.6
title:Schneider Electric ProSoft Configurator Modicon PMEPXM0100(H) Fixes for module code problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112774
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-20724 // 
            
            
            
            JVNDB: JVNDB-2020-003192 // 
            
            
            
            CNNVD: CNNVD-202003-1329

EXTERNAL IDS
db:NVDid:CVE-2020-7474
Trust: 3.1
db:SCHNEIDERid:SEVD-2020-042-01
Trust: 1.7
db:JVNDBid:JVNDB-2020-003192
Trust: 0.8
db:CNVDid:CNVD-2020-20724
Trust: 0.6
db:CNNVDid:CNNVD-202003-1329
Trust: 0.6
db:VULMONid:CVE-2020-7474
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-20724 // 
            
            
            
            VULMON: CVE-2020-7474 // 
            
            
            
            JVNDB: JVNDB-2020-003192 // 
            
            
            
            CNNVD: CNNVD-202003-1329 // 
            
            
            
            NVD: CVE-2020-7474

REFERENCES
url:https://www.se.com/ww/en/download/document/sevd-2020-042-01/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-7474
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-7474
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/427.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-7474 // 
            
            
            
            JVNDB: JVNDB-2020-003192 // 
            
            
            
            CNNVD: CNNVD-202003-1329 // 
            
            
            
            NVD: CVE-2020-7474

CREDITS
Yongjun Liu (nsfocus)
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202003-1329

SOURCES
db:CNVDid:CNVD-2020-20724
db:VULMONid:CVE-2020-7474
db:JVNDBid:JVNDB-2020-003192
db:CNNVDid:CNNVD-202003-1329
db:NVDid:CVE-2020-7474

LAST UPDATE DATE
2024-11-23T22:16:36.295000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-20724date:2020-04-01T00:00:00
db:VULMONid:CVE-2020-7474date:2020-03-25T00:00:00
db:JVNDBid:JVNDB-2020-003192date:2020-04-07T00:00:00
db:CNNVDid:CNNVD-202003-1329date:2020-03-30T00:00:00
db:NVDid:CVE-2020-7474date:2024-11-21T05:37:13.103

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-20724date:2020-04-01T00:00:00
db:VULMONid:CVE-2020-7474date:2020-03-23T00:00:00
db:JVNDBid:JVNDB-2020-003192date:2020-04-07T00:00:00
db:CNNVDid:CNNVD-202003-1329date:2020-03-23T00:00:00
db:NVDid:CVE-2020-7474date:2020-03-23T19:15:12.337