SB2020032503 - Multiple vulnerabilities in Visam VBASE

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020032503

SB2020032503 - Multiple vulnerabilities in Visam VBASE

Published: March 25, 2020 Updated: March 25, 2020

Security Bulletin ID SB2020032503
Severity
High
Patch available
NO
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 40% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2020-7008)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system from local resources.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-7004)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to weak or insecure permissions. A local user can trick a victim to run a specially crafted application and gain elevated privileges on the target system.


3) Inadequate Encryption Strength (CVE-ID: CVE-2020-10601)

The vulnerability allows a local user to bypass the password-protected mechanism.

The vulnerability exists due to weak hashing algorithm and insecure permissions . A local user can perform a brute-force attack, use cracking techniques or overwrite the password hash and bypass the password-protected mechanism.


4) Information disclosure (CVE-ID: CVE-2020-7000)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure storage of sensitive information. A remote attacker can discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface.


5) Stack-based buffer overflow (CVE-ID: CVE-2020-10599)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in ActiveX component. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system or cause a denial of service (DoS) condition.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References