Systech Corporation released new firmware that eliminates a cross-site scripting vulnerability in its NDS-5000 Terminal Server, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability, discovered by Murat Aydemir, Critical Infrastructure Penetration Test Specialist at Biznet Bilisim A.S., could allow information disclosure, limit system availability, and may allow remote code execution.
A network server, NDS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30 suffer from the issue. In the vulnerability, the affected product is susceptible to a stored cross-site scripting error, which may allow an attacker to perform privileged operations on behalf of the user, gain access to sensitive data belonging to the user, and remotely execute arbitrary code.
CVE-2020-7006 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.
The product sees use mainly in the healthcare and public health sectors and it sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Systech released firmware Version 02F.6 that eliminates this vulnerability. https://ww2.systech.com/downloads For further information on installing this update, contact Systech Technical Support.