CVE-2020-12496 MEDIUM

CVE-2020-12496: ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 2.x exposures sensitive information to an unauthorized actor

Vendor Endress+Hauser
Product RSG35 - Ecograph T
Weakness CWE-200 · Info exposure
Published November 19, 2020
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user.

Key dates

02Disclosure timeline

November 19, 2020 CVE published
September 16, 2024 Record updated