CVE-2020-7535 — Path Traversal in Modicon M340 Bmxp341000 Firmware

CWE-22 — Path Traversal3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric 140noe77101 Firmware Schneider-electric 140noe77111 Firmware Schneider-electric Bmxnoe0100 Firmware +8 more

Timeline

PublishedDec 11

Latest updateMay 24

Description

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

▶NVDschneider-electric/modicon_m340_bmxp341000_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp342000_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp342020_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp3420102_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp3420302_firmware< 3.30

🔴Vulnerability Details

GHSA

GHSA-jqm2-jgff-xhhh: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on↗2022-05-24

▶

CVEList

CVE-2020-7535: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on↗2020-12-11

▶