Andover Continuum 9680 Firmware
CVE-2020-7480
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data.
AnalysisAI
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. Affected products include: Schneider-Electric Andover Continuum 9680 Firmware, Schneider-Electric Andover Continuum 5740 Firmware, Schneider-Electric Andover Continuum 5720 Firmware, Schneider-Electric Andover Continuum Bcx4040 Firmware, Schneider-Electric Andover Continuum Bcx9640 Firmware.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andov
A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andov
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720,
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today