CVE-2020-12495

Name of the Vulnerable Software and Affected Versions Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) versions prior to V2.0.0

Description The affected device has a web-based user interface with a role-based access system, where users with different roles have different write and read privileges. The access system is based on dynamic "tokens". The issue arises because user sessions are not closed correctly, allowing a user with fewer rights to be assigned higher rights when they log on.

Recommendations For versions prior to V2.0.0, update the firmware to version V2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the web-based user interface or implementing additional authentication measures to minimize the risk of exploitation.