Main Vulnerability Database Vulnerabilities #VU25262

Information disclosure in Siemens OZW672 and Siemens OZW772 - CVE-2019-13941

Published: February 12, 2020

Vulnerability identifier: #VU25262

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-13941

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Siemens

Affected software:
Siemens OZW672
Siemens OZW772

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the OZW web server uses predictable path names for project files that legitimately authenticated users have created by using the application’s export function. A remote attacker can access a specific uniform resource locator on the web server and download a project file without prior authentication.

How to mitigate CVE-2019-13941

Install updates from vendor's website.

Sources

https://cert-portal.siemens.com/productcert/pdf/ssa-986695.pdf

Information disclosure in Siemens OZW672 and Siemens OZW772 - CVE-2019-13941

Detailed vulnerability description

How to mitigate CVE-2019-13941

Sources

Please verify you're human