Advisory Details

July 7th, 2020

C-MORE HMI EA9 EA-HTTP Improper Input Validation Denial-of-Service Vulnerability

ZDI-20-809
ZDI-CAN-10527

CVE ID CVE-2020-10922
CVSS SCORE 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AFFECTED VENDORS C-MORE
AFFECTED PRODUCTS HMI EA9
VULNERABILITY DETAILS

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of C-More HMI EA9 touch screen panels. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the EA-HTTP.exe process. The issue results from the lack of proper input validation prior to further processing user requests. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

ADDITIONAL DETAILS

Fixed in version 6.60


DISCLOSURE TIMELINE
  • 2020-06-25 - Vulnerability reported to vendor
  • 2020-07-07 - Coordinated public release of advisory
  • 2020-07-08 - Advisory Updated
CREDIT evanslify
BACK TO ADVISORIES