CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22282 – RCE in B&R Automation Studio with crafted project files
https://notcve.org/view.php?id=CVE-2021-22282
Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12. Un algoritmo de copia incorrecto en el componente de extracción de proyectos en B&R Automation Studio 4 puede permitir que un atacante no autenticado ejecute código. Este problema afecta a Automation Studio: desde 4.X hasta 4.0. • https://www.br-automation.com/fileadmin/2021-12_RCE_Vulnerability_in_BnR_Automation_Studio-1b993aeb.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3242
https://notcve.org/view.php?id=CVE-2023-3242
Improper initialization implementation in Portmapper used in B&R Industrial Automation Automation Runtime <G4.93 allows unauthenticated network-based attackers to cause permanent denial-of-service conditions. • https://www.br-automation.com/downloads_br_productcatalogue/assets/1689787619746-en-original-1.0.pdf • CWE-665: Improper Initialization CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-1617 – Improper Authentication Mechanism in B&R VC4 Visualization
https://notcve.org/view.php?id=CVE-2023-1617
Improper Authentication vulnerability in B&R Industrial Automation B&R VC4 (VNC-Server modules). This vulnerability may allow an unauthenticated network-based attacker to bypass the authentication mechanism of the VC4 visualization on affected devices. The impact of this vulnerability depends on the functionality provided in the visualization. This issue affects B&R VC4: from 3.* through 3.96.7, from 4.0* through 4.06.7, from 4.1* through 4.16.3, from 4.2* through 4.26.8, from 4.3* through 4.34.6, from 4.4* through 4.45.1, from 4.5* through 4.45.3, from 4.7* through 4.72.9. • https://www.br-automation.com/downloads_br_productcatalogue/assets/1681046878970-en-original-1.0.pdf • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4286 – Reflected Cross-Site Scripting Vulnerabilities in Automation Runtime
https://notcve.org/view.php?id=CVE-2022-4286
A reflected cross-site scripting (XSS) vulnerability exists in System Diagnostics Manager of B&R Automation Runtime versions >=3.00 and <=C4.93 that enables a remote attacker to execute arbitrary JavaScript in the context of the users browser session. B&R Systems Diagnostics Manager versions above or equal to 3.00 and below or equal to C4.93 suffer from a cross site scripting vulnerability. • https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43765 – DoS in APROLs Tbase server
https://notcve.org/view.php?id=CVE-2022-43765
B&R APROL versions < R 4.2-07 doesn’t process correctly specially formatted data packages sent to port 55502/tcp, which may allow a network based attacker to cause an application Denial-of-Service. • https://www.br-automation.com/downloads_br_productcatalogue/assets/1674823095245-en-original-1.0.pdf • CWE-252: Unchecked Return Value •