CVE-2020-12495 CRITICAL

CVE-2020-12495: ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 1.x has improper privilege management

Vendor Endress+Hauser
Product RSG35 - Ecograph T
Weakness CWE-269
Published November 19, 2020
Last update September 16, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management. The affected device has a web-based user interface with a role-based access system. Users with different roles have different write and read privileges. The access system is based on dynamic "tokens". The vulnerability is that user sessions are not closed correctly and a user with fewer rights is assigned the higher rights when he logs on.

Key dates

02Disclosure timeline

November 19, 2020 CVE published
September 16, 2024 Record updated