PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier: Improper path sanitation vulnerability.
CVE-2020-12499

8.2HIGH

Key Information:

Vendor

Phoenix Contact

Status
Plcnext Engineer
Vendor
CVE Published:
21 July 2020

What is CVE-2020-12499?

In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an improper path sanitation vulnerability exists on import of project files.

Affected Version(s)

PLCnext Engineer <= 2020.3.1

References

https://cert.vde.com/en-us/advisories/vde-2020-025
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability was discovered and reported by Amir Preminger of Claroty.
PHOENIX CONTACT reported the vulnerability to CERT@VDE.
.
The Cyber Security Vulnerability Database.