Main Vulnerability Database SB2020092325

SB2020092325 - Multiple vulnerabilities in GE Digital APM Classic

Published: September 23, 2020

Security Bulletin ID SB2020092325

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2020-16240)

The vulnerability allows a remote user to gain unauthorized access to sensitive information on the system.

The vulnerability exist due to an insecure direct object reference (IDOR) issue. A remote attacker can download sensitive data related to user accounts without having the proper privileges.

2) Use of a One-Way Hash without a Salt (CVE-ID: CVE-2020-16244)

The vulnerability allows a remote user to gain access to sensitive information on the system.

The vulnerability exists due to salt is not used for hash calculation of passwords, making it possible to decrypt passwords. A remote administrator can retrieve all user account data and then retrieve the actual passwords.

Remediation

Install update from vendor's website.

References

https://ics-cert.us-cert.gov/advisories/icsa-20-266-01