1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Pavilion8
- Vulnerabilities: Improper Privilege Management, Path Traversal
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to view sensitive information or upload arbitrary files that could result in remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation Pavilion8, a model predictive control software, are affected:
- Pavilion8: All versions prior to V5.20
3.2 Vulnerability Overview
3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269
The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.
CVE-2024-7960 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-7960. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).