CVE-2020-6776 HIGH

CVE-2020-6776: CSRF in Bosch PRAESIDEO and Bosch PRAESENSA Management Interface

Vendor Bosch
Product PRAESIDEO
Weakness CWE-352 · CSRF
Published January 14, 2021
Last update September 17, 2024
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface.

Key dates

02Disclosure timeline

January 14, 2021 CVE published
September 17, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-34755 WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.3.9 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-1909 Categorify <= 1.0.7.4 - Cross-Site Request Forgery via categorifyAjaxRenameCategory CVE-2025-32245 WordPress Featured Posts Scroll plugin <= 1.25 - CSRF to Stored Cross Site Scripting (XSS) vulnerability CVE-2024-31289 WordPress Hello Elementor theme <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability CVE-2022-1829 Inline Google Maps <= 5.11 - Arbitrary Settings Update to Stored XSS via CSRF