CVE-2020-8973

ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, does not properly accept specially constructed requests. This allows an attacker with access to the network where the affected asset is located, to operate and change several parameters without having to be registered as a user on the web that owns the device.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-zgr-tps200-ng

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zigor:zgr_tps200_ng_firmware:2.00:*:*:*:*:*:*:*

cpe:2.3:h:zigor:zgr_tps200_ng:1.01:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-10-17 22:15

Updated : 2023-11-20 11:15

NVD link : CVE-2020-8973

Mitre link : CVE-2020-8973

CVE.ORG link : CVE-2020-8973

JSON object : View

Products Affected

zigor

zgr_tps200_ng
zgr_tps200_ng_firmware

CWE

NVD-CWE-noinfo CWE-284

Improper Access Control

{"id": "CVE-2020-8973", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}]}, "published": "2022-10-17T22:15:10.023", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-zgr-tps200-ng", "source": "cve-coordination@incibe.es"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, does not properly accept specially constructed requests. This allows an attacker with access to the network where the affected asset is located, to operate and change several parameters without having to be registered as a user on the web that owns the device."}, {"lang": "es", "value": "ZGR TPS200 NG en su versi\u00f3n de firmware 2.00 y en su versi\u00f3n de hardware 1.01, no acepta apropiadamente peticiones especialmente construidas. Esto permite que un atacante con acceso a la red donde es encontrado el activo afectado, pueda operar y cambiar varios par\u00e1metros sin necesidad de estar registrado como usuario en la web que posee el dispositivo"}], "lastModified": "2023-11-20T11:15:07.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zigor:zgr_tps200_ng_firmware:2.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F42D21EF-7B57-43BB-8515-809E45880176"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zigor:zgr_tps200_ng:1.01:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ABB13226-AA1F-4DA9-925D-832EFAC30748"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve-coordination@incibe.es"}