CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 3CVE-2018-16061 – Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2018-16061
Mitsubishi Electric SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php. Los dispositivos Mitsubishi Electric SmartRTU permiten un ataque de tipo XSS por medio del parámetro username o PATH_INFO a el archivo login.php Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php. Mitsubishi Electric and INEA SmartRTU suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50423 http://packetstormsecurity.com/files/164537/Mitsubishi-Electric-INEA-SmartRTU-Cross-Site-Scripting.html https://drive.google.com/open?id=1DEZQqfpIgcflY2cF6O0y7vtlWYe8Wjjv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 4%CPEs: 2EXPL: 3CVE-2018-16060 – Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
https://notcve.org/view.php?id=CVE-2018-16060
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI. Los dispositivos Mitsubishi Electric SmartRTU permiten a atacantes remotos conseguir información confidencial (listado de directorios y código fuente) por medio de una petición directa al URI /web Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI. Mitsubishi Electric and INEA SmartRTU suffer from a source code disclosure vulnerability. • https://www.exploit-db.com/exploits/50422 http://packetstormsecurity.com/files/164538/Mitsubishi-Electric-INEA-SmartRTU-Source-Code-Disclosure.html https://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14925
https://notcve.org/view.php?id=CVE-2019-14925
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment. Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta la versión 2.02 y los dispositivos INEA ME-RTU versiones hasta la versión 3.0. Un archivo de configuración /usr/smartrtu/init/settings.xml de tipo world-readable en el sistema de archivos le permite al atacante leer ajustes de configuración confidencial tales como nombres de usuario, contraseñas y otros datos confidenciales de la RTU debido a una asignación de permisos no seguros. An issue was discovered on Mitsubishi Electric Europe B.V. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14929
https://notcve.org/view.php?id=CVE-2019-14929
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service. Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta 2.02 y los dispositivos INEA ME-RTU versiones hasta 3.0. Las contraseñas de texto sin cifrar almacenadas podrían permitir a un atacante no autenticado obtener combinaciones de nombre de usuario y contraseña configuradas en la RTU debido a una gestión de credenciales débiles en la RTU. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14930
https://notcve.org/view.php?id=CVE-2019-14930
An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.) Se descubrió un problema en los dispositivos Mitsubishi Electric ME-RTU versiones hasta la versión 2.02 y los dispositivos INEA ME-RTU versiones hasta 3.0. Las contraseñas de usuario embebidas no documentadas para root, ineaadmin, mitsadmin y maint podrían permitir a un atacante conseguir acceso no autorizado a la RTU. • https://www.mogozobo.com https://www.mogozobo.com/?p=3593 • CWE-798: Use of Hard-coded Credentials •