Vulnerability Description
Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Endress | Rsg35 Firmware | < 2.0.0 |
| Endress | Rsg35 | - |
| Endress | Rsg45 Firmware | < 2.0.0 |
| Endress | Rsg45 | - |
| Endress | Orsg35 Firmware | < 2.0.0 |
| Endress | Orsg35 | - |
| Endress | Orsg45 Firmware | < 2.0.0 |
| Endress | Orsg45 | - |
Related Weaknesses (CWE)
References
- https://cert.vde.com/en-us/advisories/vde-2020-022Vendor Advisory
- https://cert.vde.com/en-us/advisories/vde-2020-022Vendor Advisory
FAQ
What is CVE-2020-12496?
CVE-2020-12496 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive infor...
How severe is CVE-2020-12496?
CVE-2020-12496 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12496?
Check the references section above for vendor advisories and patch information. Affected products include: Endress Rsg35 Firmware, Endress Rsg35, Endress Rsg45 Firmware, Endress Rsg45, Endress Orsg35 Firmware.