CVE-2020-12496

Name of the Vulnerable Software and Affected Versions Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) versions V2.0.0 and above Endress+Hauser Memograph M (Neutral/Private Label) (RSG45, ORSG45) versions V2.0.0 and above

Description The issue concerns exposure of sensitive information to unauthorized actors. The firmware release utilizes a dynamic token for each request submitted to the server, complicating repeating requests and analysis. However, it was discovered that there is an issue with the access-control matrix on the server-side, allowing a user with low rights to access information from endpoints that should not be available to them.

Recommendations For Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) versions V2.0.0 and above: As a temporary workaround, consider restricting access to sensitive endpoints until a patch is available. For Endress+Hauser Memograph M (Neutral/Private Label) (RSG45, ORSG45) versions V2.0.0 and above: As a temporary workaround, consider restricting access to sensitive endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.