CVE-2020-24673 CRITICAL

CVE-2020-24673: SQL Injection in Symphony Plus

Vendor Abb

Product ABB Ability™ Symphony® Plus Operations

Weakness CWE-89 · SQLi

Published December 22, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability.

Key dates

02Disclosure timeline

December 22, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-24673 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2020-24673

CWE CWE-89

CVSS 9.8 / CRITICAL

Affected versions

Vendor Abb

Product ABB Ability™ Symphony® Plus Operations

Affected ≥ unspecified and < 3.3 Service Pack 1

Vendor Abb

Product ABB Ability™ Symphony® Plus Operations

Affected ≥ unspecified and < 2.1 SP2 Rollup 2

Vendor Abb

Product ABB Ability™ Symphony® Plus Operations

Affected ≥ unspecified and < 2.2

Vendor Abb

Product ABB Ability™ Symphony® Plus Historian

Affected ≥ unspecified and < 3.2

CVE-2020-24673: SQL Injection in Symphony Plus

01Description

02Disclosure timeline

03References

04Related CVE