CVE-2020-12517

Summary

CVE	CVE-2020-12517
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-12-17 23:15:00 UTC
Updated	2020-12-21 17:07:00 UTC
Description	On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Phoenixcontact	Axc F 1152	-	All	All	All
Hardware	Phoenixcontact	Axc F 1152	-	All	All	All
Hardware	Phoenixcontact	Axc F 2152	-	All	All	All
Hardware	Phoenixcontact	Axc F 2152	-	All	All	All
Hardware	Phoenixcontact	Axc F 2152 Starterkit	-	All	All	All
Hardware	Phoenixcontact	Axc F 2152 Starterkit	-	All	All	All
Hardware	Phoenixcontact	Axc F 3152	-	All	All	All
Hardware	Phoenixcontact	Axc F 3152	-	All	All	All
Operating System	Phoenixcontact	Plcnext Firmware	All	All	All	All
Operating System	Phoenixcontact	Plcnext Firmware	All	All	All	All
Hardware	Phoenixcontact	Plcnext Technology Starterkit	-	All	All	All
Hardware	Phoenixcontact	Plcnext Technology Starterkit	-	All	All	All
Hardware	Phoenixcontact	Rfc 4072s	-	All	All	All
Hardware	Phoenixcontact	Rfc 4072s	-	All	All	All

References

Reference	Source	Link	Tags
PHOENIX CONTACT: Multiple vulnerabilities in PLCnext Control devices — English (USA)	CONFIRM	cert.vde.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Discovered by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul and Daniel Hackel of SVA Systemvertrieb Alexander GmbH, coordinated by CERT@VDE

There are currently no legacy QID mappings associated with this CVE.