CVE-2022-36970 Vulnerability Details

  /     /     /  

CVE-2022-36970 Metadata Quick Info

CVE Published: 29/03/2023 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: zdi | Vendor: AVEVA | Product: Edge
Status : PUBLISHED

---

CVE-2022-36970 Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 20.0 Build: 4201.2111.1802.0000 Service Pack 2. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of APP files. Crafted data in a APP file can cause the application to execute arbitrary Visual Basic scripts. The user interface fails to provide sufficient indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of current process. Was ZDI-CAN-17370.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-356
CWE Name: CWE-356: Product UI does not Warn User of Unsafe Actions
Source: AVEVA

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).