CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2020-24673 – SQL Injection in Symphony Plus
https://notcve.org/view.php?id=CVE-2020-24673
In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability. En S+ Operations y S+ Historian, una explotación de inyección SQL con éxito puede leer datos confidenciales de la base de datos, modificar los datos de la base de datos (Insertar/Actualizar/Eliminar), ejecutar operaciones de administración en la base de datos (como apagar el DBMS), recuperar el contenido de un archivo dado presente en el sistema de archivos DBMS y, en algunos casos, emitir comandos en el sistema operativo. Esto puede conllevar a una pérdida de confidencialidad e integridad de los datos o incluso afectar el comportamiento del producto y su disponibilidad • https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 10EXPL: 0CVE-2020-24674 – Improper Authorization in Symphony Plus
https://notcve.org/view.php?id=CVE-2020-24674
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines. En S+ Operations y S+ Historian, no todos los comandos del cliente comprueban correctamente los permisos del usuario como se esperaba. Los usuarios remotos autenticados pero no autorizados podrían ejecutar un ataque de denegación de servicio (DoS), ejecutar código arbitrario u obtener más privilegios de los previstos en las máquinas • https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2020-24683 – Authentication Bypass in Symphony Plus
https://notcve.org/view.php?id=CVE-2020-24683
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application. Las versiones afectadas de S+ Operations (versión 2.1 SP1 y anteriores) utilizaron un enfoque para la autenticación de usuarios que se basa en la comprobación en el nodo del cliente (autenticación del lado del cliente). Esto no es tan seguro como hacer que el servidor valide una aplicación cliente antes de permitir una conexión. • https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-305: Authentication Bypass by Primary Weakness CWE-602: Client-Side Enforcement of Server-Side Security CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 7.0EPSS: 0%CPEs: 10EXPL: 0CVE-2020-24680 – Improper Credential Storage in Symphony Plus
https://notcve.org/view.php?id=CVE-2020-24680
In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database. En S+ Operations y S+ Historian, las contraseñas de los usuarios internos (no usuarios de Windows) están cifradas pero almacenadas incorrectamente en una base de datos • https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 0%CPEs: 10EXPL: 0CVE-2020-24679 – Denial of Service attack on Symphony Plus
https://notcve.org/view.php?id=CVE-2020-24679
A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted. Un servicio S+ Operations y S+ Historian, está sujeto a una DoS mediante mensajes especiales diseñados. Un atacante podría usar este fallo para hacer que se bloquee o incluso ejecutar código arbitrario en la máquina donde está alojado el servicio • https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-20: Improper Input Validation •