Vulnerability Description
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phoenixcontact | Plcnext Firmware | < 2021.0 |
| Phoenixcontact | Axc F 1152 | - |
| Phoenixcontact | Axc F 2152 | - |
| Phoenixcontact | Axc F 3152 | - |
| Phoenixcontact | Rfc 4072S | - |
| Phoenixcontact | Axc F 2152 Starterkit | - |
| Phoenixcontact | Plcnext Technology Starterkit | - |
Related Weaknesses (CWE)
References
- https://cert.vde.com/en-us/advisories/vde-2020-049Third Party Advisory
- https://cert.vde.com/en-us/advisories/vde-2020-049Third Party Advisory
FAQ
What is CVE-2020-12517?
CVE-2020-12517 is a vulnerability with a CVSS score of 8.8 (HIGH). On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vul...
How severe is CVE-2020-12517?
CVE-2020-12517 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12517?
Check the references section above for vendor advisories and patch information. Affected products include: Phoenixcontact Plcnext Firmware, Phoenixcontact Axc F 1152, Phoenixcontact Axc F 2152, Phoenixcontact Axc F 3152, Phoenixcontact Rfc 4072S.