February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – Node.js pug and pug-code-gen code execution
March 4, 2021Rewterz Threat Advisory – ICS: Schneider Electric EcoStruxure Building Operation (EBO)
March 5, 2021Rewterz Threat Advisory – Node.js pug and pug-code-gen code execution
March 4, 2021Rewterz Threat Advisory – ICS: Schneider Electric EcoStruxure Building Operation (EBO)
March 5, 2021
Severity
Medium
Analysis Summary
CVE-2020-14504
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.
CVE-2020-14502
The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the homepage of the web interface.
Impact
- Improper Access Control
- Cross-site Scripting
Affected Vendors
Rockwell Automation
Affected Products
- Series B Versions 4.001 to 4.005 and 5.011 to 5.017
- Series C Versions 6.011 and 6.012
Remediation
Rockwell Automation recommends users update to the latest available patches:
1734-AENTR Series B, update to firmware Version 5.018
1734-AENTR Series C, update to firmware Version 6.013