CVE-2020-13537

CWE-276 — Incorrect Default Permissions CWE-269 — Improper Privilege Management3 documents3 sources

Severity

7.8HIGH

EPSS

0.0%

top 90.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moxa Mxview

Timeline

PublishedNov 5

Latest updateMay 24

Description

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary.By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality and among them the mosquitto executable is also run.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDmoxa/mxview3.1.8

▶CVEListV5moxaMoxa MXView Series 3.1.8

🔴Vulnerability Details

GHSA

GHSA-9vx5-p3h2-529c: An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3↗2022-05-24

▶

CVEList

CVE-2020-13537: An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3↗2020-11-05

▶