CVE-2020-16244
moderate-risk
Published 2020-09-23
GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data and then retrieve the actual passwords.
Do I need to act?
-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Asset Performance Management Classic
Affected Vendors
References (2)
Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-266-01
Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-266-01
32
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal