Rewterz Threat Alert – Credit Card Skimmer Masquerades as Favicon
May 8, 2020Rewterz Threat Advisory – Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Security Updates
May 8, 2020Rewterz Threat Alert – Credit Card Skimmer Masquerades as Favicon
May 8, 2020Rewterz Threat Advisory – Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Security Updates
May 8, 2020Severity
Medium
Analysis Summary
The CODESYS WebVisu and the CODESYS Remote TargetVisu are susceptible to a privilege escalation allowing access to visualization screens that are intended solely for specific operators. This attack is only possible under one of the following constellations:
- The navigation inside the downloaded visualization is done by switching the entire visualization screens and only the elements for the navigation are protected by the User management.
- The downloaded visualization contains visualization screens that cannot be reached by navigation.
Impact
Improper Privilege Management |
Affected Vendors
CODESYS |
Affected Products
CODESYS Development System V3 versions prior V3.5.16.0 CODESYS Control for BeagleBone CODESYS Control for emPC-A/iMX6 CODESYS Control for IOT2000 CODESYS Control for Linux CODESYS Control for PLCnext CODESYS Control for PFC100 CODESYS Control for PFC200 CODESYS Control for Raspberry Pi CODESYS Control RTE V3 CODESYS Control RTE V3 (for Beckhoff CX) CODESYS Control Win V3 CODESYS HMI V3 CODESYS Control V3 Runtime System Toolkit |
Remediation
Update to version V3.5.16.0 of CODESYS to fix the vulnerabilities. |