CVE-2020-28398

EUVD-2020-20857

10.12.2024, 14:15

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0), RUGGEDCOM ROX RX1510 (All versions < V2.16.0), RUGGEDCOM ROX RX1511 (All versions < V2.16.0), RUGGEDCOM ROX RX1512 (All versions < V2.16.0), RUGGEDCOM ROX RX1524 (All versions < V2.16.0), RUGGEDCOM ROX RX1536 (All versions < V2.16.0), RUGGEDCOM ROX RX5000 (All versions < V2.16.0). The CLI feature in the web interface of affected devices is vulnerable to
cross-site request forgery (CSRF).

This could allow an attacker to read or modify the device configuration
by tricking an authenticated legitimate user into accessing a malicious link.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
siemens	ruggedcom_rox_mx5000	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_mx5000re	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1400	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1500	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1501	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1510	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1511	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1512	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1524	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx1536	𝑥 < 2.16.0	ADP
siemens	ruggedcom_rox_rx5000	𝑥 < 2.16.0	ADP

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://cert-portal.siemens.com/productcert/html/ssa-384652.html