PT-2020-12678 · 3Xlogic · Infinias Eidc32

Published

2020-04-04

Updated

2021-07-21

CVE-2020-11542

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions 3xLOGIC Infinias eIDC32 version 2.213

Description The issue allows authentication bypass via the CMD.HTM endpoint, specifically when the CMD parameter is used, because authentication relies on the client-side interpretation of the MYKEY substring.

Recommendations For version 2.213, as a temporary workaround, consider restricting access to the CMD.HTM endpoint until a patch is available. Avoid using the CMD parameter in the CMD.HTM endpoint to minimize the risk of exploitation.

Exploit

Fix

Improper Authentication

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-319

Related Identifiers

CVE-2020-11542

Affected Products

Infinias Eidc32

PT-2020-12678 · 3Xlogic · Infinias Eidc32

CVE-2020-11542

Weakness Enumeration

Related Identifiers

Affected Products

References · 3