{"api_version":"1","generated_at":"2026-04-23T06:18:46+00:00","cve":"CVE-2020-13504","urls":{"html":"https://cve.report/CVE-2020-13504","api":"https://cve.report/api/cve/CVE-2020-13504.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-13504","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-13504"},"summary":{"title":"CVE-2020-13504","description":"Parameter AttFilterValue in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks. Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger this vulnerability.","state":"PUBLIC","assigner":"talos-cna@cisco.com","published_at":"2020-09-24 15:15:00","updated_at":"2020-09-29 13:40:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"https://talosintelligence.com/vulnerability_reports/TALOS-2020-1108","name":"https://talosintelligence.com/vulnerability_reports/TALOS-2020-1108","refsource":"MISC","tags":["Exploit","Technical Description","Third Party Advisory"],"title":"Talos Website","mime":"application/octet-stream","httpstatus":"404","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-13504","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13504","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"13504","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"aveva","cpe5":"edna_enterprise_data_historian","cpe6":"3.0.1.2\\/7.5.4989.33053","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13504","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"aveva","cpe5":"edna_enterprise_data_historian","cpe6":"3.0.1.2\\/7.5.4989.33053","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-13504","ASSIGNER":"talos-cna@cisco.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Aveva","version":{"version_data":[{"version_value":"Aveva eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"SQL injection"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://talosintelligence.com/vulnerability_reports/TALOS-2020-1108","url":"https://talosintelligence.com/vulnerability_reports/TALOS-2020-1108"}]},"description":{"description_data":[{"lang":"eng","value":"Parameter AttFilterValue in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks. Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger this vulnerability."}]}},"nvd":{"publishedDate":"2020-09-24 15:15:00","lastModifiedDate":"2020-09-29 13:40:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:aveva:edna_enterprise_data_historian:3.0.1.2\\/7.5.4989.33053:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"13504","Ordinal":"174688","Title":"CVE-2020-13504","CVE":"CVE-2020-13504","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"13504","Ordinal":"1","NoteData":"Parameter AttFilterValue in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks. Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger this vulnerability.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"13504","Ordinal":"2","NoteData":"2020-09-24","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"13504","Ordinal":"3","NoteData":"2020-09-24","Type":"Other","Title":"Modified"}]}}}