CVSS: 9.8EPSS: 0%CPEs: 44EXPL: 0CVE-2023-3259
https://notcve.org/view.php?id=CVE-2023-3259
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass. By manipulating the IP address field in the "iBootPduSiteAuth" cookie, a malicious agent can direct the device to connect to a rouge database.Successful exploitation allows the malicious agent to take actions with administrator privileges including, but not limited to, manipulating power levels, modifying user accounts, and exporting confidential user information • https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 44EXPL: 0CVE-2022-46658 – CVE-2022-46658
https://notcve.org/view.php?id=CVE-2022-46658
The affected product is vulnerable to a stack-based buffer overflow which could lead to a denial of service or remote code execution. • https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03 •
CVSS: 9.8EPSS: 0%CPEs: 44EXPL: 0CVE-2022-46738 – CVE-2022-46738
https://notcve.org/view.php?id=CVE-2022-46738
The affected product exposes multiple sensitive data fields of the affected product. An attacker can use the SNMP command to get device mac address and login as admin. • https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03 •
CVSS: 8.1EPSS: 0%CPEs: 44EXPL: 0CVE-2022-47320 – CVE-2022-47320
https://notcve.org/view.php?id=CVE-2022-47320
The iBoot device’s basic discovery protocol assists in initial device configuration. The discovery protocol shows basic information about devices on the network and allows users to perform configuration changes. • https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03 •
CVSS: 8.8EPSS: 0%CPEs: 44EXPL: 0CVE-2022-47311 – CVE-2022-47311
https://notcve.org/view.php?id=CVE-2022-47311
A proprietary protocol for iBoot devices is used for control and keepalive commands. The function compares the username and password; it also contains the configuration data for the user specified. If the user does not exist, then it sends a value for username and password, which allows successful authentication for a connection. • https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03 •