Main Vulnerability Database SB2020021211

SB2020021211 - Information disclosure in Siemens OZW Web Server

Published: February 12, 2020

Security Bulletin ID SB2020021211

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2019-13941)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the OZW web server uses predictable path names for project files that legitimately authenticated users have created by using the application’s export function. A remote attacker can access a specific uniform resource locator on the web server and download a project file without prior authentication.

Remediation

Install update from vendor's website.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-986695.pdf