CVE-2020-11542

3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.

Published: Apr 5, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-11542
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-319
CWE-287

OWASP TOP 10:

A3 - Sensitive Data Exposure
A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
3xlogic / infinias_eidc32_firmware	2.213	2.213.x
3xlogic / infinias_eidc32_web	1.107	1.107.x

https://www.criticalstart.com/authentication-bypass-vulnerability-discovered-in-infinias-eidc32-webserver/

Vulnerability Database

291,049

CVE-2020-11542