CVE-2020-35568 : Security Advisory and Response

An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24, and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. An incomplete filter applied to a database response allows an authenticated attacker to gain non-public information about other users and devices in the account.

Understanding CVE-2020-35568

This CVE describes a vulnerability in products of MB connect line and Helmholz that could lead to sensitive information exposure.

What is CVE-2020-35568?

The vulnerability allows an authenticated attacker to access non-public information about other users and devices within the affected account due to an incomplete filter in the database response.

The Impact of CVE-2020-35568

The impact is rated as MEDIUM with a CVSS base score of 4.3. The confidentiality impact is low, and no integrity impact or availability impact is reported.

Technical Details of CVE-2020-35568

This section provides more technical insights into the vulnerability.

Vulnerability Description

The vulnerability arises from an incomplete filter in the database response, enabling unauthorized access to non-public information.

Affected Systems and Versions

Products: MB connect line mymbCONNECT24, mbCONNECT24, Helmholz myREX24, myREX24.virtual
Versions affected: Up to v2.11.2

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Scope: Unchanged

Mitigation and Prevention

It is crucial to take immediate steps to address and prevent the exploitation of this vulnerability.

Immediate Steps to Take

Update the affected systems to version 2.12.1

Long-Term Security Practices

Regularly monitor for security advisories and updates from the vendor
Implement strong authentication mechanisms and access controls
Conduct regular security assessments and audits

Patching and Updates

Ensure all systems are promptly patched with the latest updates provided by the vendor