CVE-2024-31416
https://notcve.org/view.php?id=CVE-2024-31416
The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a bad actor may result in excessive memory consumption or integer overflow. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf • CWE-1284: Improper Validation of Specified Quantity in Input •
CVE-2024-31415
https://notcve.org/view.php?id=CVE-2024-31415
The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf • CWE-522: Insufficiently Protected Credentials •
CVE-2024-31414
https://notcve.org/view.php?id=CVE-2024-31414
The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of malicious scripts when abused by bad actors. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-43777 – Insecure storage of password in easySoft
https://notcve.org/view.php?id=CVE-2023-43777
Eaton easySoft software is used to program easy controllers and displays for configuring, programming and defining parameters for all the intelligent relays. This software has a password protection functionality to secure the project file from unauthorized access. This password was being stored insecurely and could be retrieved by skilled adversaries. El software Eaton easySoft se utiliza para programar controladores y pantallas fáciles para configurar, programar y definir parámetros para todos los relés inteligentes. Este software tiene una función de protección con contraseña para proteger el archivo del proyecto contra accesos no autorizados. • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1011.pdf • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVE-2023-43776 – Weak encoding vulnerability in easyE4
https://notcve.org/view.php?id=CVE-2023-43776
Eaton easyE4 PLC offers a device password protection functionality to facilitate a secure connection and prevent unauthorized access. It was observed that the device password was stored with a weak encoding algorithm in the easyE4 program file when exported to SD card (*.PRG file ending). Eaton easyE4 PLC ofrece una funcionalidad de protección con contraseña del dispositivo para facilitar una conexión segura y evitar el acceso no autorizado. Se observó que la contraseña del dispositivo se almacenó con un algoritmo de codificación débil en el archivo del programa easyE4 cuando se exportó a la tarjeta SD (final de archivo *.PRG). • https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1010.pdf • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •