CVSS: 8.1EPSS: 0%CPEs: 32EXPL: 0CVE-2022-25155
https://notcve.org/view.php?id=CVE-2022-25155
Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-EIP all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by replaying an eavesdropped password hash. Vulnerabilidad en el uso del hash de la contraseña en lugar de la contraseña para la autenticación en Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU todas las versiones, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R04/08/16/32/120(ES)CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120SFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PSFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71GN11-T2 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71GN11-EIP todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71C24(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71EN71 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ72GF15-T2 todas las versiones, Mitsubishi Electric MELSEC Q serie Q03UDECPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/10/13/20/26/50/100UDEHCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q03/04/06/13/26UDVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/13/26UDPVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71C24N(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71E71-100 todas las versiones, Mitsubishi Electric MELSEC Q serie QJ72BR15 todas las versiones, Mitsubishi Electric MELSEC Q serie QJ72LP25(-25/G/GE) todas las versiones, Mitsubishi Electric MELSEC serie L L02/06/26CPU(-P) todas las versiones, Mitsubishi Electric MELSEC serie L L26CPU-(P)BT todas las versiones, Mitsubishi Electric MELSEC serie L LJ71C24(-R2) todas las versiones, Mitsubishi Electric MELSEC serie L LJ71E71-100 todas las versiones y Mitsubishi Electric MELSEC serie L LJ72GF15-T2 todas las versiones permiten que un atacante remoto no autenticado inicie sesión en el producto reproduciendo un hash de contraseña interceptado • https://jvn.jp/vu/JVNVU96577897/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 32EXPL: 0CVE-2022-25156
https://notcve.org/view.php?id=CVE-2022-25156
Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by using a password reversed from a previously eavesdropped password hash. Uso de la vulnerabilidad Weak Hash en Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU todas las versiones, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R04/08/16/32/120(ES)CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120SFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PSFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71C24(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71EN71 todas las versiones, Mitsubishi Electric MELSEC serie iQ-R RJ72GF15-T2 todas las versiones, Mitsubishi Electric MELSEC serie Q Q03UDECPU todas las versiones, Mitsubishi Electric MELSEC serie Q04/06/10/13/20/26/50/100UDEHCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q03/04/06/13/26UDVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/13/26UDPVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71C24N(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC Q series QJ71E71-100 todas las versiones, Mitsubishi Electric MELSEC Q series QJ72BR15 todas las versiones, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) todas las versiones, Mitsubishi Electric MELSEC serie L L02/06/26CPU(-P) todas las versiones, Mitsubishi Electric MELSEC serie L L26CPU-(P)BT todas las versiones, Mitsubishi Electric MELSEC serie L LJ71C24(-R2) todas las versiones, Mitsubishi Electric MELSEC serie L LJ71E71-100 todas las versiones y Mitsubishi Electric MELSEC serie L LJ72GF15-T2 todas las versiones permite a un atacante remoto no autenticado iniciar sesión en el producto utilizando una contraseña invertida a partir de un hash de contraseña previamente interceptado • https://jvn.jp/vu/JVNVU96577897/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf • CWE-326: Inadequate Encryption Strength •
CVSS: 9.8EPSS: 1%CPEs: 27EXPL: 0CVE-2020-14523 – Mitsubishi Electric Factory Automation Products Path Traversal
https://notcve.org/view.php?id=CVE-2020-14523
Multiple Mitsubishi Electric Factory Automation products have a vulnerability that allows an attacker to execute arbitrary code. diversos productos de Mitsubishi Electric Factory Automation presentan una vulnerabilidad que permite a un atacante ejecutar código arbitrario • https://jvn.jp/vu/JVNVU90224831 https://www.cisa.gov/uscert/ics/advisories/icsa-20-212-03 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-008_en.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 60EXPL: 0CVE-2020-14521 – Mitsubishi Electric Factory Automation Engineering Products Unquoted Search Path or Element
https://notcve.org/view.php?id=CVE-2020-14521
Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition. diversos productos de software de ingeniería de Mitsubishi Electric Factory Automation presentan una vulnerabilidad de ejecución de código malicioso. Un atacante malicioso podría usar esta vulnerabilidad para obtener información, modificar información y causar una condición de denegación de servicio • https://www.cisa.gov/uscert/ics/advisories/icsa-20-212-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-007_en.pdf • CWE-276: Incorrect Default Permissions CWE-428: Unquoted Search Path or Element •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-23128
https://notcve.org/view.php?id=CVE-2022-23128
Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products. Una vulnerabilidad "Incomplete List of Disallowed Inputs" en Mitsubishi Electric MC Works64 versiones 4.00A (10.95.201.23) a 4.04E (10.95.210.01), ICONICS GENESIS64 versiones 10.95.3 a 10.97, ICONICS Hyper Historian versiones 10.95.3 a 10.97, ICONICS AnalytiX versiones 10.95.3 a 10.97 e ICONICS MobileHMI versiones 10. 95.3 a 10.97 permite a un atacante remoto no autenticado omitir la autenticación de MC Works64, GENESIS64, Hyper Historian, AnalytiX y MobileHMI, y conseguir acceso no autorizado a los productos, mediante el envío de paquetes WebSocket especialmente diseñados al servidor FrameWorX, una de las funciones de los productos • https://jvn.jp/vu/JVNVU95403720/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf •