CVE-2020-7541

CWE-4253 documents3 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 45.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric 140cpu65150 Firmware Schneider-electric 140noc77101 Firmware Schneider-electric 140noc78000 Firmware +17 more

Timeline

PublishedDec 11

Latest updateMay 24

Description

A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages20 packages

▶NVDschneider-electric/modicon_m340_bmxp341000_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp342000_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp342020_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp3420102_firmware< 3.30

▶NVDschneider-electric/modicon_m340_bmxp3420302_firmware< 3.30

🔴Vulnerability Details

GHSA

GHSA-56fm-6jmc-6mvp: A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premiu↗2022-05-24

▶

CVEList

CVE-2020-7541: A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premiu↗2020-12-11

▶