CVE-2020-6776: CSRF in Bosch PRAESIDEO and Bosch PRAESENSA Management Interface
First published: Thu Jan 14 2021(Updated: )
A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface.
Credit: psirt@bosch.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bosch Praesideo Firmware | <=4.41 | |
| Bosch PRAESIDEO | ||
| Bosch Praesensa Firmware | <=1.10 | |
| Bosch PRAESENSA |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2020-6776?
CVE-2020-6776 is a vulnerability in the web-based management interface of Bosch PRAESIDEO and Bosch PRAESENSA, which allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user through Cross-Site Request Forgery.
What is the severity of CVE-2020-6776?
CVE-2020-6776 has a severity value of 8.8, which is categorized as high.
What software versions are affected by CVE-2020-6776?
CVE-2020-6776 affects Bosch PRAESIDEO firmware versions up to and including 4.41, and Bosch PRAESENSA firmware versions up to and including 1.10.
How can an attacker exploit CVE-2020-6776?
An unauthenticated remote attacker can exploit CVE-2020-6776 through Cross-Site Request Forgery, allowing them to perform actions on an affected system on behalf of another user.
Is Bosch PRAESIDEO and Bosch PRAESENSA vulnerable to CVE-2020-6776?
Bosch PRAESIDEO and Bosch PRAESENSA are not vulnerable to CVE-2020-6776, but their firmware versions up to and including 4.41 and 1.10 respectively are affected.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/title
- agent/weakness
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/bosch
- canonical/bosch praesideo firmware
- version/bosch praesideo firmware/4.41
- canonical/bosch praesideo
- canonical/bosch praesensa firmware
- version/bosch praesensa firmware/1.10
- canonical/bosch praesensa