CVE-2024-9414 – Cross-site Scripting vulnerability in LCDS LAquis SCADA
https://notcve.org/view.php?id=CVE-2024-9414
In LAquis SCADA version 4.7.1.511, a cross-site scripting vulnerability could allow an attacker to inject arbitrary code into a web page. This could allow an attacker to steal cookies, redirect users, or perform unauthorized actions. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-5040 – LCDS LAquis SCADA Path Traversal
https://notcve.org/view.php?id=CVE-2024-5040
There are multiple ways in LCDS LAquis SCADA for an attacker to access locations outside of their own directory. Hay varias formas en LCDS LAquis SCADA para que un atacante acceda a ubicaciones fuera de su propio directorio. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LAquis SCADA. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the AddComboFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-142-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-32989 – LCDS LAquis SCADA - Cross-site Scripting
https://notcve.org/view.php?id=CVE-2021-32989
When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting. Cuando es solicitado un recurso no existente, la aplicación LCDS LAquis SCADA (versiones 4.3.1.1011 y anteriores) devuelve mensajes de error que pueden permitir un ataque de tipo cross-site scripting reflejado • https://www.cisa.gov/uscert/ics/advisories/icsa-21-208-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-10618 – LAquis SCADA LGX File Insufficient UI Warning Arbitrary File Creation Vulnerability
https://notcve.org/view.php?id=CVE-2020-10618
LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vulnerable to sensitive information exposure by unauthorized users. LCDS LAquis SCADA versiones 4.3.1 y anteriores. El producto afectado es vulnerable a una exposición de información confidencial por parte de usuarios no autorizados. This vulnerability allows remote attackers to create arbitrary files on affected installations of LAquis SCADA. • https://www.us-cert.gov/ics/advisories/icsa-20-119-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-10622 – LAquis SCADA LGX File Insufficient UI Warning Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-10622
LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vulnerable to arbitrary file creation by unauthorized users LCDS LAquis SCADA versiones 4.3.1 y anteriores. El producto afectado es vulnerable a una creación de archivos arbitrarios por parte de usuarios no autorizados. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LAquis SCADA. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the TextFile.Read method when processing LGX files. • https://www.us-cert.gov/ics/advisories/icsa-20-119-01 • CWE-20: Improper Input Validation •