42 results (0.003 seconds)

CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0

Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges. La administración de múltiples productos basada en web de Wago tiene una vulnerabilidad que permite a un atacante autenticado local cambiar las contraseñas de otros usuarios que no sean administradores y así escalar privilegios no root. • https://cert.vde.com/en/advisories/VDE-2023-015 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •

CVSS: 2.7EPSS: 0%CPEs: 14EXPL: 0

On affected Wago products an remote attacker with administrative privileges can access files to which he has already access to through an undocumented local file inclusion. This access is logged in a different log file than expected. En los productos Wago afectados, un atacante remoto con privilegios administrativos puede acceder a archivos a los que ya tiene acceso a través de una inclusión de archivo local no documentada. Este acceso se registra en un archivo de registro diferente al esperado. • https://cert.vde.com/en/advisories/VDE-2023-046 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •

CVSS: 9.8EPSS: 91%CPEs: 14EXPL: 4

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise. • https://github.com/codeb0ss/CVE-2023-1698-PoC https://github.com/Chocapikk/CVE-2023-1698 https://github.com/thedarknessdied/WAGO-CVE-2023-1698 https://github.com/deIndra/CVE-2023-1698 https://cert.vde.com/en/advisories/VDE-2023-007 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.8EPSS: 0%CPEs: 28EXPL: 0

The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-306: Missing Authentication for Critical Function •

CVSS: 5.3EPSS: 0%CPEs: 28EXPL: 0

A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-346: Origin Validation Error •