CVE-2020-12517

Summary

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).

Affected Software

VendorProductVersion RangeStatus
Phoenix ContactAXC F 1152 (1151412)unspecified < 2021.0 LTSaffected
Phoenix ContactAXC F 2152 (2404267)unspecified < 2021.0 LTSaffected
Phoenix ContactAXC F 3152 (1069208)unspecified < 2021.0 LTSaffected
Phoenix ContactRFC 4072S (1051328unspecified < 2021.0 LTSaffected
Phoenix ContactAXC F 2152 Starterkit (1046568)unspecified < 2021.0 LTSaffected
Phoenix ContactPLCnext Technology Starterkit (1188165)unspecified < 2021.0 LTSaffected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

Workarounds

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note.

ADP Enrichment

CVE Program Container

Additional References

References