CVE-2020-15809

spxmanage on certain SpinetiX devices allows requests that access unintended resources because of SSRF and Path Traversal. This affects HMP350, HMP300, and DiVA through 4.5.2-1.0.36229; HMP400 and HMP400W through 4.5.2-1.0.2-1eb2ffbd; and DSOS through 4.5.2-1.0.2-1eb2ffbd.
References
Link Resource
https://support.spinetix.com/wiki/SpinetiX-SA-20:01 Release Notes Vendor Advisory
https://support.spinetix.com/wiki/DSOS_release_notes Release Notes Vendor Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:o:spinetix:dsos:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:spinetix:hmp350_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:spinetix:hmp350:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:spinetix:hmp300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:spinetix:hmp300:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:spinetix:diva_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:spinetix:diva:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:spinetix:hmp400_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:spinetix:hmp400:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:spinetix:hmp400w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:spinetix:hmp400w:-:*:*:*:*:*:*:*

Information

Published : 2021-03-24 10:15

Updated : 2021-03-26 14:17


NVD link : CVE-2020-15809

Mitre link : CVE-2020-15809


JSON object : View

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-918

Server-Side Request Forgery (SSRF)

Advertisement

dedicated server usa

Products Affected

spinetix

  • hmp300_firmware
  • hmp400_firmware
  • diva
  • hmp400
  • hmp400w
  • hmp350
  • hmp300
  • diva_firmware
  • dsos
  • hmp400w_firmware
  • hmp350_firmware