CVE-2020-12499

IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY CWE-22
The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code. The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.

Risk Information

  • CVE ID
  • CVE-2020-12499
  • Vendor
  • Phoenix Contact
  • Product
  • PLCnext
  • CVSS v3
  • 8.2