CVE-2020-7574 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-7574 PUBLISHED CVSS 6.099999904632568 MEDIUM

A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions). A persistent cross-site scripting (XSS) vulnerability exists in the "Server Config" web interface of the affected devices that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web session.

EPSS 0.37% · 58.7th percentile

Risk Scores

CVSS v3.1

6.099999904632568

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Score

0.37%

58.7th percentile

Affected Products

Vendor	Product	Versions
Siemens	Climatix POL908 (BACnet/IP module)	All versions
siemens	climatix_pol909_firmware	0
Siemens	Climatix POL909 (AWM module)	All versions < V11.32
siemens	climatix_pol908_firmware

Timeline

Apr 14, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score

References

Open in Interactive Console →