CVE-2020-12517

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

9.0CRITICAL

EPSS

0.6%

top 30.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phoenix Contact AXC F 1152 (1151412)Phoenix Contact AXC F 2152 (2404267)Phoenix Contact AXC F 2152 Starterkit (1046568)+4 more

Timeline

PublishedDec 17

Latest updateMay 24

Description

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages7 packages

▶NVDphoenixcontact/plcnext_firmware< 2021.0

▶CVEListV5phoenix_contact/plcnext_technology_starterkit_(1188165)unspecified — 2021.0 LTS

▶CVEListV5phoenix_contact/rfc_4072s_(1051328unspecified — 2021.0 LTS

▶CVEListV5phoenix_contact/axc_f_1152_(1151412)unspecified — 2021.0 LTS

▶CVEListV5phoenix_contact/axc_f_2152_(2404267)unspecified — 2021.0 LTS

🔴Vulnerability Details

GHSA

GHSA-hwm9-775j-vf84: On Phoenix Contact PLCnext Control Devices versions before 2021↗2022-05-24

▶

CVEList

Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS: An authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulne↗2020-12-17

▶