How severe is CVE-2020-28209?

This vulnerability has a severity rating of HIGH with a CVSS score of 7 out of 10.

What type of vulnerability is CVE-2020-28209?

This is classified as CWE-428, which is a common weakness in software security.

CVE-2020-28209 - HIGH Severity | CVSS 7

Vulnerability Description

A CWE-428 Windows Unquoted Search Path vulnerability exists in EcoStruxure Building Operation Enterprise Server installer V1.9 - V3.1 and Enterprise Central installer V2.0 - V3.1 that could cause any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central is always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location.

Related Vulnerabilities

CVE-2017-9644

HIGH

CVSS:7.0(High)

An Unquoted Search Path or Element issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6...

CWE-4282017

CVE-2019-16647

HIGH

CVSS:7.2(High)

Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows.

CWE-4282019

CVE-2022-27905

HIGH

CVSS:7.2(High)

In ControlUp Real-Time Agent before 8.6, an unquoted path can result in privilege escalation. An attacker would require write permissions to the root level of the OS drive (C:\) to exploit this.

CWE-4282022

CVE-2023-39464

HIGH

CVSS:7.2(High)

Triangle MicroWorks SCADA Data Gateway GTWWebMonitorService Unquoted Search Path Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute code on affected installatio...

CWE-4282023

CVE-2017-14019

MEDIUM

CVSS:6.7(Medium)

An Unquoted Search Path or Element issue was discovered in Progea Movicon Version 11.5.1181 and prior. An unquoted search path or element vulnerability has been identified, which may allow an authoriz...

CWE-4282017

CVE-2017-5873

MEDIUM

CVSS:6.7(Medium)

Unquoted Windows search path vulnerability in the guest service in Unisys s-Par before 4.4.20 allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory, a...

CWE-4282017