CVSS: 9.1EPSS: 0%CPEs: 18EXPL: 0CVE-2020-12523 – Phoenix Contact mGuard Devices versions before 8.8.3: LAN ports get functional after reboot even if they are disabled in the device configuration
https://notcve.org/view.php?id=CVE-2020-12523
On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource En Phoenix Contact mGuard Devices versiones anteriores a 8.8.3, los puertos LAN funcionan después del reinicio, inclusive si están desactivados en la configuración del dispositivo. Para los dispositivos mGuard con switch integrado en el lado de la LAN, los puertos switch únicos pueden ser desactivados mediante la configuración del dispositivo. Después de un reinicio, estos puertos se vuelven funcionales independientemente de su configuración: Falta la Inicialización del Recurso • https://cert.vde.com/en-us/advisories/vde-2020-046 • CWE-909: Missing Initialization of Resource •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12521 – Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS: A specially crafted LLDP packet may lead to a high system load in the PROFINET stack.
https://notcve.org/view.php?id=CVE-2020-12521
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS a specially crafted LLDP packet may lead to a high system load in the PROFINET stack. An attacker can cause failure of system services or a complete reboot. En Phoenix Contact PLCnext Control Devices versiones anteriores a 2021.0 LTS, un paquete LLDP especialmente diseñado puede conllevar a una alta carga del sistema en la pila PROFINET. Un atacante puede causar un fallo en los servicios del sistema o un reinicio completo • https://cert.vde.com/en-us/advisories/vde-2020-049 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12519 – Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS: An attacker can use this vulnerability i.e. to open a reverse shell with root privileges.
https://notcve.org/view.php?id=CVE-2020-12519
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use this vulnerability i.e. to open a reverse shell with root privileges. En Phoenix Contact PLCnext Control Devices versiones anteriores a 2021.0 LTS, un atacante puede utilizar esta vulnerabilidad, es decir, para abrir un shell inverso con privilegios root • https://cert.vde.com/en-us/advisories/vde-2020-049 • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12518 – Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS: An attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks.
https://notcve.org/view.php?id=CVE-2020-12518
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks. En Phoenix Contact PLCnext Control Devices versiones anteriores a 2021.0 LTS, un atacante puede utilizar los conocimientos adquiridos al leer la información confidencial que no está suficientemente protegida para planificar futuros ataques • https://cert.vde.com/en-us/advisories/vde-2020-049 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12517 – Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS: An authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).
https://notcve.org/view.php?id=CVE-2020-12517
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation). En Phoenix Contact PLCnext Control Devices versiones anteriores a 2021.0 LTS, un usuario autenticado poco privilegiado podría insertar código Javascript malicioso para alcanzar derechos de administrador cuando el usuario administrador visita el sitio web vulnerable (escalada de privilegios local) • https://cert.vde.com/en-us/advisories/vde-2020-049 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •