Details of VAR-202102-0214

ID

VAR-202102-0214

CVE

CVE-2020-24842

TITLE

SDG Technologies Plug and Play SCADA Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-07268 // CNNVD: CNNVD-201510-709

DESCRIPTION

PNPSCADA 2.200816204020 allows cross-site scripting (XSS), which can execute arbitrary JavaScript in the victim's browser. PNPSCADA Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. SDG Technologies Plug and Play SCADA fails to adequately filter user-submitted input, allowing remote attackers to exploit vulnerabilities to inject malicious scripts or HTML code to capture sensitive information or hijack user sessions when malicious data is viewed. SDG Technologies Plug and Play SCADA is a set of Web-based SCADA (Data Acquisition and Monitoring Control) and HMI software used by SDG Technologies of South Africa in the energy industry. A cross-site scripting vulnerability exists in the SDG Technologies Plug and Play SCADA, which is caused by the program's insufficient filtering of user-submitted input. When a user browses an affected website, their browser executes arbitrary script code provided by the attacker. This could lead to attackers stealing cookie-based authentication and launching other attacks

Trust: 3.15

sources: NVD: CVE-2020-24842 // JVNDB: JVNDB-2020-015941 // CNVD: CNVD-2015-07268 // CNNVD: CNNVD-201510-709 // BID: 77109 // IVD: 487d24e6-1e5b-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 487d24e6-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07268

AFFECTED PRODUCTS

vendor:	sdgc	model:	pnpscada	scope:	eq	version:	2.200816204020	Trust: 1.0
vendor:	sdg	model:	plug and play scada	scope:	eq	version:	2.200816204020	Trust: 0.8
vendor:	sdg	model:	plug and play scada	scope:	eq	version:	-	Trust: 0.8
vendor:	sdg	model:	cc plug and play scada	scope:	-	version:	-	Trust: 0.6
vendor:	sdg	model:	plug and play scada	scope:	eq	version:	0	Trust: 0.3
vendor:	sdg	model:	cc plug and play scada	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 487d24e6-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07268 // BID: 77109 // JVNDB: JVNDB-2020-015941 // NVD: CVE-2020-24842

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24842
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-24842
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-07268
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-1026
value:	MEDIUM
Trust: 0.6
IVD:	487d24e6-1e5b-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2020-24842
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-07268
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	487d24e6-1e5b-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2020-24842
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-24842
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 487d24e6-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07268 // JVNDB: JVNDB-2020-015941 // CNNVD: CNNVD-202102-1026 // NVD: CVE-2020-24842

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-015941 // NVD: CVE-2020-24842

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201510-709 // CNNVD: CNNVD-202102-1026

TYPE

XSS

Trust: 1.2

sources: CNNVD: CNNVD-201510-709 // CNNVD: CNNVD-202102-1026

PATCH

title:

Top Page

url:

https://sdg.pnpscada.com/home.html

Trust: 0.8

sources: JVNDB: JVNDB-2020-015941

EXTERNAL IDS

db:	ICS CERT ALERT	id:	ICS-ALERT-15-288-01	Trust: 2.7
db:	NVD	id:	CVE-2020-24842	Trust: 2.4
db:	BID	id:	77109	Trust: 1.5
db:	CNVD	id:	CNVD-2015-07268	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-015941	Trust: 0.8
db:	CNNVD	id:	CNNVD-201510-709	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-1026	Trust: 0.6
db:	IVD	id:	487D24E6-1E5B-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 487d24e6-1e5b-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-07268 // BID: 77109 // JVNDB: JVNDB-2020-015941 // CNNVD: CNNVD-201510-709 // CNNVD: CNNVD-202102-1026 // NVD: CVE-2020-24842

REFERENCES

url:	https://us-cert.cisa.gov/ics/alerts/ics-alert-15-288-01	Trust: 2.4
url:	http://www.securityfocus.com/bid/77109	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24842	Trust: 0.8
url:	http://www.pnpscada.com/about.html	Trust: 0.3
url:	https://ics-cert.us-cert.gov/alerts/ics-alert-15-288-01	Trust: 0.3

sources: CNVD: CNVD-2015-07268 // BID: 77109 // JVNDB: JVNDB-2020-015941 // CNNVD: CNNVD-201510-709 // CNNVD: CNNVD-202102-1026 // NVD: CVE-2020-24842

CREDITS

Kelvin Security

Trust: 0.9

sources: BID: 77109 // CNNVD: CNNVD-201510-709

SOURCES

db:	IVD	id:	487d24e6-1e5b-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-07268
db:	BID	id:	77109
db:	JVNDB	id:	JVNDB-2020-015941
db:	CNNVD	id:	CNNVD-201510-709
db:	CNNVD	id:	CNNVD-202102-1026
db:	NVD	id:	CVE-2020-24842

LAST UPDATE DATE

2024-11-23T23:04:06.628000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-07268	date:	2015-11-05T00:00:00
db:	BID	id:	77109	date:	2015-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2020-015941	date:	2021-10-25T09:06:00
db:	CNNVD	id:	CNNVD-201510-709	date:	2015-10-29T00:00:00
db:	CNNVD	id:	CNNVD-202102-1026	date:	2021-02-22T00:00:00
db:	NVD	id:	CVE-2020-24842	date:	2024-11-21T05:16:07.377

SOURCES RELEASE DATE

db:	IVD	id:	487d24e6-1e5b-11e6-abef-000c29c66e3d	date:	2015-11-05T00:00:00
db:	CNVD	id:	CNVD-2015-07268	date:	2015-11-05T00:00:00
db:	BID	id:	77109	date:	2015-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2020-015941	date:	2021-10-25T00:00:00
db:	CNNVD	id:	CNNVD-201510-709	date:	2015-10-29T00:00:00
db:	CNNVD	id:	CNNVD-202102-1026	date:	2021-02-10T00:00:00
db:	NVD	id:	CVE-2020-24842	date:	2021-02-10T22:15:13.343