CVE-2020-11644
Vulnerability Scoring
Attack Complexity Details
- Attack Complexity: Low Impact
- Attack Vector: NETWORK
- Privileges Required: Low Impact
- Scope: UNCHANGED
- User Interaction: NONE
CIA Impact Definition
- Confidentiality:
- Integrity: HIGH IMPACT
- Availability:
CVE-2020-11644 Vulnerability Summary
The information disclosure vulnerability present in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to generate fake audit log messages.
Access Complexity Graph for CVE-2020-11644
Impact Analysis for CVE-2020-11644
Exploit Prediction Scoring System (EPSS)
The EPSS score estimates the probability that this vulnerability will be exploited in the near future.
EPSS Score: 0.05% (probability of exploit)
EPSS Percentile: 22.16%
(lower percentile = lower relative risk)
This vulnerability is less risky than approximately 77.84% of others.
CVE-2020-11644 Detailed Information and External References
References
- https://us-cert.cisa.gov/ics/advisories/icsa-20-273-03
- https://www.br-automation.com/downloads_br_productcatalogue/assets/1600003183751-de-original-1.0.pdf
CWE
CWE-117CAPEC
- Audit Log Manipulation CAPEC-268 The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
- Web Server Logs Tampering CAPEC-81 Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
- Log Injection-Tampering-Forging CAPEC-93 This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.
Vulnerable Configurations
-
cpe:2.3:o:br-automation:gatemanager_9250_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:br-automation:gatemanager_9250_firmware:-:*:*:*:*:*:*:*
-
cpe:2.3:h:br-automation:gatemanager_9250:-:*:*:*:*:*:*:*
cpe:2.3:h:br-automation:gatemanager_9250:-:*:*:*:*:*:*:*
-
cpe:2.3:o:br-automation:gatemanager_4260_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:br-automation:gatemanager_4260_firmware:-:*:*:*:*:*:*:*
-
cpe:2.3:h:br-automation:gatemanager_4260:-:*:*:*:*:*:*:*
cpe:2.3:h:br-automation:gatemanager_4260:-:*:*:*:*:*:*:*
-
cpe:2.3:o:br-automation:gatemanager_8250_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:br-automation:gatemanager_8250_firmware:-:*:*:*:*:*:*:*
-
cpe:2.3:h:br-automation:gatemanager_8250:-:*:*:*:*:*:*:*
cpe:2.3:h:br-automation:gatemanager_8250:-:*:*:*:*:*:*:*
CVSS3 Source
nvd@nist.gov
CVSS3 Type
Primary
CVSS3 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Protect Your Infrastructure: Combat Critical CVE Threats
Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.
Other Recently Published CVEs
- CVE-2025-0001 – Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability.
- CVE-2025-1381 – A vulnerability was found in code-projects Real Estate Property Management System 1.0. It has been classified as critical. This affects an unknown ...
- CVE-2025-1380 – A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of...
- CVE-2025-1379 – A vulnerability has been found in code-projects Real Estate Property Management System 1.0 and classified as critical. Affected by this vulnerabili...
- CVE-2025-1378 – A vulnerability, which was classified as problematic, was found in radare2 5.9.9 33286. Affected is an unknown function in the library /libr/main/r...
- CVE-2024-47935 – Improper Validation of Integrity Check Value vulnerability in TXOne Networks StellarProtect (Legacy Mode), StellarEnforce, and Safe Lock allows an ...
- CVE-2024-13726 – The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action ...
- CVE-2024-13627 – The OWL Carousel Slider WordPress plugin through 2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a R...
- CVE-2024-13626 – The VR-Frases (collect & share quotes) WordPress plugin through 3.0.1 does not sanitise and escape a parameter before outputting it back in the pag...
- CVE-2024-13625 – The Tube Video Ads Lite WordPress plugin through 1.5.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a...