Details of VAR-202104-0009

ID

VAR-202104-0009

CVE

CVE-2020-13533

TITLE

Dream Report Inappropriate Default Permission Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-016499

DESCRIPTION

A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘backdoor’ the installation files and escalate privileges when a new user logs in and uses the application. Dream Report Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Ocean Data Systems Dream Report 5 R20-2 is an application software of Ocean Data Systems in France. A real-time report and charting solution

Trust: 2.25

sources: NVD: CVE-2020-13533 // JVNDB: JVNDB-2020-016499 // CNVD: CNVD-2021-28326 // VULMON: CVE-2020-13533

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-28326

AFFECTED PRODUCTS

vendor:	dreamreport	model:	dream report	scope:	eq	version:	5_r20-2	Trust: 1.0
vendor:	dream report	model:	dream report	scope:	eq	version:	5 r20-2	Trust: 0.8
vendor:	dream report	model:	dream report	scope:	eq	version:	-	Trust: 0.8
vendor:	ocean	model:	data systems dream report r20-2	scope:	eq	version:	5	Trust: 0.6

sources: CNVD: CNVD-2021-28326 // JVNDB: JVNDB-2020-016499 // NVD: CVE-2020-13533

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13533
value:	HIGH
Trust: 1.0
talos-cna@cisco.com:	CVE-2020-13533
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-13533
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-28326
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-495
value:	HIGH
Trust: 0.6
VULMON:	CVE-2020-13533
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-13533
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-28326
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-13533
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
talos-cna@cisco.com:	CVE-2020-13533
baseSeverity:	CRITICAL
baseScore:	9.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.5
impactScore:	6.0
version:	3.0
Trust: 1.0
NVD:	CVE-2020-13533
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-28326 // VULMON: CVE-2020-13533 // JVNDB: JVNDB-2020-016499 // CNNVD: CNNVD-202104-495 // NVD: CVE-2020-13533 // NVD: CVE-2020-13533

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	Inappropriate default permissions (CWE-276) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-016499 // NVD: CVE-2020-13533

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202104-495

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-495

PATCH

title:

Top Page

url:

https://dreamreport.net/

Trust: 0.8

sources: JVNDB: JVNDB-2020-016499

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13533	Trust: 3.9
db:	TALOS	id:	TALOS-2020-1146	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-016499	Trust: 0.8
db:	CNVD	id:	CNVD-2021-28326	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-495	Trust: 0.6
db:	VULMON	id:	CVE-2020-13533	Trust: 0.1

sources: CNVD: CNVD-2021-28326 // VULMON: CVE-2020-13533 // JVNDB: JVNDB-2020-016499 // CNNVD: CNNVD-202104-495 // NVD: CVE-2020-13533

REFERENCES

url:	https://talosintelligence.com/vulnerability_reports/talos-2020-1146	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13533	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/276.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-28326 // VULMON: CVE-2020-13533 // JVNDB: JVNDB-2020-016499 // CNNVD: CNNVD-202104-495 // NVD: CVE-2020-13533

CREDITS

Discovered by Yuri Kramarz of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-202104-495

SOURCES

db:	CNVD	id:	CNVD-2021-28326
db:	VULMON	id:	CVE-2020-13533
db:	JVNDB	id:	JVNDB-2020-016499
db:	CNNVD	id:	CNNVD-202104-495
db:	NVD	id:	CVE-2020-13533

LAST UPDATE DATE

2024-11-23T21:34:47.258000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-28326	date:	2021-04-19T00:00:00
db:	VULMON	id:	CVE-2020-13533	date:	2021-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-016499	date:	2021-12-13T02:26:00
db:	CNNVD	id:	CNNVD-202104-495	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2020-13533	date:	2024-11-21T05:01:26.660

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-28326	date:	2021-04-15T00:00:00
db:	VULMON	id:	CVE-2020-13533	date:	2021-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2020-016499	date:	2021-12-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-495	date:	2021-04-08T00:00:00
db:	NVD	id:	CVE-2020-13533	date:	2021-04-09T18:15:12.663