CVE-2020-24675

In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Symphony_+_historian	Abb	3.0 (including)	3.0 (including)
Symphony_+_historian	Abb	3.1 (including)	3.1 (including)
Symphony_+_operations	Abb	1.1 (including)	1.1 (including)
Symphony_+_operations	Abb	2.0 (including)	2.0 (including)
Symphony_+_operations	Abb	2.1-sp1 (including)	2.1-sp1 (including)
Symphony_+_operations	Abb	2.1-sp2 (including)	2.1-sp2 (including)
Symphony_+_operations	Abb	3.0 (including)	3.0 (including)
Symphony_+_operations	Abb	3.1 (including)	3.1 (including)
Symphony_+_operations	Abb	3.2 (including)	3.2 (including)
Symphony_+_operations	Abb	3.3 (including)	3.3 (including)

Potential Mitigations

References

https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-24675
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References