CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1140 – CVE-2023-1140
https://notcve.org/view.php?id=CVE-2023-1140
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of Apache ActiveMQ. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1141 – CVE-2023-1141
https://notcve.org/view.php?id=CVE-2023-1141
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a command injection vulnerability that could allow an attacker to inject arbitrary commands, which could result in remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ExeCommandInCommandLineMode function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1136 – CVE-2023-1136
https://notcve.org/view.php?id=CVE-2023-1136
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an unauthenticated attacker could generate a valid token, which would lead to authentication bypass. This vulnerability allows remote attackers to bypass authentication on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CheckgRPCAuthentication function. When parsing serialized objects, the server does not properly validate user-supplied data. An attacker can leverage this vulnerability to bypass authentication on the system. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1142 – CVE-2023-1142
https://notcve.org/view.php?id=CVE-2023-1142
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebServerCallBack function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1134 – CVE-2023-1134
https://notcve.org/view.php?id=CVE-2023-1134
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Delta Electronics InfraSuite Device Master. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the CtrlLayerNWCmd_ReportFileOperation function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of an administrator. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •