CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 0CVE-2017-14024
https://notcve.org/view.php?id=CVE-2017-14024
A Stack-based Buffer Overflow issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions. The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges. Se descubrió un problema de desbordamiento de búfer basado en pila en Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 o anterior y en InTouch Machine Edition v8.0 SP2 Patch 1 o anterior. La vulnerabilidad de desbordamiento de búfer basado en pila ha sido identificada. Podría permitir la ejecución remota de código con altos privilegios. • http://www.securityfocus.com/bid/101779 https://ics-cert.us-cert.gov/advisories/ICSA-17-313-02 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2017-13997
https://notcve.org/view.php?id=CVE-2017-13997
A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server. Se descubrió un problema de ausencia de autenticación para una función crítica en Schneider Electric InduSoft Web Studio v8.0 SP2 o anteriores y en InTouch Machine Edition v8.0 SP2 o anteriores. • http://www.securityfocus.com/bid/100952 https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4709
https://notcve.org/view.php?id=CVE-2012-4709
Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Invensys Wonderware InTouch HMI 2012 R2 y anteriores permite a atacantes remotos leer archivos de forma arbitraria, enviar peticiones HTTP a servidores de intranet o causar una denegación de servicio (consumo de memoria y CPU) a través de un documento XML que contienen declaraciones de entidad externas en conjunto con una referencia a entidad, relacionado con el problema XML External Entity (XXE) • http://ics-cert.us-cert.gov/advisories/ICSA-13-276-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 1.9EPSS: 0%CPEs: 2EXPL: 0CVE-2012-4693
https://notcve.org/view.php?id=CVE-2012-4693
Invensys Wonderware InTouch 2012 R2 and earlier and Siemens ProcessSuite use a weak encryption algorithm for data in Ps_security.ini, which makes it easier for local users to discover passwords by reading this file. nvensys Wonderware InTouch R2 2012 y anteriores y ProcessSuite Siemens utilizan un algoritmo de cifrado débil para los datos en Ps_security.ini, lo que hace que sea más fácil para los usuarios locales descubrir contraseñas mediante la lectura de este archivo. • http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-370812.pdf http://www.us-cert.gov/control_systems/pdf/ICSA-12-348-01.pdf • CWE-310: Cryptographic Issues •