AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
DataEdgePlatform DataMosaix™ Private Cloud |
CVE-2025-0659 |
<=7.11 |
7.11.01 |
DataEdgePlatform DataMosaix™ Private Cloud |
CVE-2020-11656 |
<=7.09 |
7.11.01 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-0659 IMPACT
A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.
CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No
CVE-2020-11656 IMPACT
The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.