CVE-2020-7478 — Path Traversal in Interactive Graphical Scada System

CWE-22 — Path Traversal3 documents3 sources

Severity

7.5HIGHNVD

EPSS

1.8%

top 17.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Interactive Graphical Scada System

Timeline

PublishedMar 23

Latest updateMay 24

Description

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDschneider-electric/interactive_graphical_scada_system14.0 — 14.0.0.20009

🔴Vulnerability Details

GHSA

GHSA-hm9h-wf2r-4pc5: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which coul↗2022-05-24

▶

CVEList

CVE-2020-7478: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which coul↗2020-03-23

▶