Details of VAR-202012-0323

ID

VAR-202012-0323

CVE

CVE-2020-24678

TITLE

S+ Operations Or S+ Historian database Vulnerability in privilege management

Trust: 0.8

sources: JVNDB: JVNDB-2020-014753

DESCRIPTION

An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges. Both ABB Symphony Plus Operations and ABB Symphony Plus Historian are products of ABB, Switzerland. ABB Symphony Plus Operations is a management device used in industrial environments to improve operational efficiency. The device provides an easy-to-use human-machine interface, seamlessly integrates all plant equipment and subsystems using industry-standard protocols and technologies, and provides functions such as alarm management, process optimization, and more. ABB Symphony Plus Historian is a device for visually viewing and managing historical information of industrial equipment

Trust: 1.71

sources: NVD: CVE-2020-24678 // JVNDB: JVNDB-2020-014753 // VULHUB: VHN-178580

AFFECTED PRODUCTS

vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	2.0	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.0	Trust: 1.0
vendor:	abb	model:	symphony \+ historian	scope:	eq	version:	3.1	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	2.1	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.3	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	1.1	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.2	Trust: 1.0
vendor:	abb	model:	symphony \+ historian	scope:	eq	version:	3.0	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.1	Trust: 1.0
vendor:	abb	model:	symphony plus historian	scope:	-	version:	-	Trust: 0.8
vendor:	abb	model:	symphony plus operations	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-014753 // NVD: CVE-2020-24678

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24678
value:	HIGH
Trust: 1.0
cybersecurity@ch.abb.com:	CVE-2020-24678
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-24678
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202012-1462
value:	HIGH
Trust: 0.6
VULHUB:	VHN-178580
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-24678
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-178580
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24678
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2020-014753
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-178580 // JVNDB: JVNDB-2020-014753 // CNNVD: CNNVD-202012-1462 // NVD: CVE-2020-24678 // NVD: CVE-2020-24678

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-178580 // JVNDB: JVNDB-2020-014753 // NVD: CVE-2020-24678

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-1462

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202012-1462

PATCH

title:	Vulnerability ID	url:	https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch	Trust: 0.8
title:	ABB Symphony Plus Operations and ABB Symphony Plus Historian Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137807	Trust: 0.6

sources: JVNDB: JVNDB-2020-014753 // CNNVD: CNNVD-202012-1462

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24678	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-014753	Trust: 0.8
db:	CNNVD	id:	CNNVD-202012-1462	Trust: 0.7
db:	VULHUB	id:	VHN-178580	Trust: 0.1

sources: VULHUB: VHN-178580 // JVNDB: JVNDB-2020-014753 // CNNVD: CNNVD-202012-1462 // NVD: CVE-2020-24678

REFERENCES

url:	https://search.abb.com/library/download.aspx?documentid=2paa123980&languagecode=en&documentpartid=&action=launch	Trust: 1.6
url:	https://search.abb.com/library/download.aspx?documentid=2paa123982&languagecode=en&documentpartid=&action=launch	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24678	Trust: 1.4
url:	https://search.abb.com/library/download.aspx?documentid=2paa123980&languagecode=en&documentpartid=&action=launch	Trust: 0.1
url:	https://search.abb.com/library/download.aspx?documentid=2paa123982&languagecode=en&documentpartid=&action=launch	Trust: 0.1

sources: VULHUB: VHN-178580 // JVNDB: JVNDB-2020-014753 // CNNVD: CNNVD-202012-1462 // NVD: CVE-2020-24678

SOURCES

db:	VULHUB	id:	VHN-178580
db:	JVNDB	id:	JVNDB-2020-014753
db:	CNNVD	id:	CNNVD-202012-1462
db:	NVD	id:	CVE-2020-24678

LAST UPDATE DATE

2024-11-23T22:05:18.659000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178580	date:	2021-10-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-014753	date:	2021-08-30T08:30:00
db:	CNNVD	id:	CNNVD-202012-1462	date:	2021-09-15T00:00:00
db:	NVD	id:	CVE-2020-24678	date:	2024-11-21T05:15:42.487

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178580	date:	2020-12-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-014753	date:	2021-08-30T00:00:00
db:	CNNVD	id:	CNNVD-202012-1462	date:	2020-12-22T00:00:00
db:	NVD	id:	CVE-2020-24678	date:	2020-12-22T22:15:13.507