CVE-2020-9049

low-risk

Published 2020-11-19

A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

ADJACENT_NETWORK / HIGH complexity

Affected Products (2)

C-Cure Web

Victor Web

Affected Vendors

Johnsoncontrols

References (6)

Patch https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01

Vendor Advisory https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Patch https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01

Vendor Advisory https://www.johnsoncontrols.com/cyber-solutions/security-advisories

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low