CVE-2020-11999

Name of the Vulnerable Software and Affected Versions FactoryTalk Linx versions 6.00 through 6.11 RSLinx Classic versions 4.11.00 and prior Connected Components Workbench versions 12 and prior ControlFLASH versions 14 and later ControlFLASH Plus versions 1 and later FactoryTalk Asset Centre versions 9 and later FactoryTalk Linx CommDTM versions 1 and later Studio 5000 Launcher versions 31 and later Studio 5000 Logix Designer software versions 32 and prior

Description An exposed API call in the software allows users to provide files to be processed without proper sanitation. This may enable an attacker to specify a filename, potentially leading to the execution of unauthorized code and modification of files or data.

Recommendations For FactoryTalk Linx versions 6.00 through 6.11, consider disabling the exposed API call until a patch is available. For RSLinx Classic versions 4.11.00 and prior, restrict access to the API endpoint to minimize the risk of exploitation. For Connected Components Workbench versions 12 and prior, avoid using the vulnerable API call in production environments until the issue is resolved. For ControlFLASH versions 14 and later, ControlFLASH Plus versions 1 and later, FactoryTalk Asset Centre versions 9 and later, FactoryTalk Linx CommDTM versions 1 and later, Studio 5000 Launcher versions 31 and later, and Studio 5000 Logix Designer software versions 32 and prior, there is no information about a newer version that contains a fix for this vulnerability.