CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-1514
https://notcve.org/view.php?id=CVE-2023-1514
19 Dec 2023 — A vulnerability exists in the component RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a Certification Authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service. An attacker could ex... • https://github.com/wsx-rootdeef/CVE-2023-1514-SQL-Injection-Teampass- • CWE-295: Improper Certificate Validation •
CVSS: 6.4EPSS: 0%CPEs: 32EXPL: 0CVE-2023-5769
https://notcve.org/view.php?id=CVE-2023-5769
14 Dec 2023 — A vulnerability exists in the webserver that affects the RTU500 series product versions listed below. A malicious actor could perform cross-site scripting on the webserver due to user input being improperly sanitized. Existe una vulnerabilidad en el servidor web que afecta a las versiones de productos de RTU500 series que se enumeran a continuación. Un actor malintencionado podría realizar Cross-Site Scripting en el servidor web debido a que la entrada del usuario se sanitizo incorrectamente. • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000176&languageCode=en&Preview=true • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 32EXPL: 0CVE-2023-5768
https://notcve.org/view.php?id=CVE-2023-5768
04 Dec 2023 — A vulnerability exists in the HCI IEC 60870-5-104 that affects the RTU500 series product versions listed below. Incomplete or wrong received APDU frame layout may cause blocking on link layer. Error reason was an endless blocking when reading incoming frames on link layer with wrong length information of APDU or delayed reception of data octets. Only communication link of affected HCI IEC 60870-5-104 is blocked. If attack sequence stops the communication to the previously attacked link gets normal again. • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000176&languageCode=en&Preview=true • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 32EXPL: 0CVE-2023-5767
https://notcve.org/view.php?id=CVE-2023-5767
04 Dec 2023 — A vulnerability exists in the webserver that affects the RTU500 series product versions listed below. A malicious actor could perform cross-site scripting on the webserver due to an RDT language file being improperly sanitized. Existe una vulnerabilidad en el servidor web que afecta a las versiones de productos RTU500 series que se enumeran a continuación. Un actor malintencionado podría realizar cross-site scripting en el servidor web debido a que un archivo de idioma RDT no se ha sanitizado incorrectament... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000176&languageCode=en&Preview=true • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-4518
https://notcve.org/view.php?id=CVE-2023-4518
01 Dec 2023 — A vulnerability exists in the input validation of the GOOSE messages where out of range values received and processed by the IED caused a reboot of the device. In order for an attacker to exploit the vulnerability, goose receiving blocks need to be configured. Existe una vulnerabilidad en la validación de entrada de los mensajes GOOSE donde los valores fuera de rango recibidos y procesados por el IED provocaron un reinicio del dispositivo. Para que un atacante aproveche la vulnerabilidad, es necesario confi... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000170&languageCode=en&Preview=true • CWE-20: Improper Input Validation CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5516
https://notcve.org/view.php?id=CVE-2023-5516
01 Nov 2023 — Poorly constructed webap requests and URI components with special characters trigger unhandled errors and exceptions, disclosing information about the underlying technology and other sensitive information details. The website unintentionally reveals sensitive information including technical details like version Info, endpoints, backend server, Internal IP. etc., which can potentially expose additional attack surface containing other interesting vulnerabilities. Las solicitudes de aplicaciones web mal constr... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000175&languageCode=en&Preview=true • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5515
https://notcve.org/view.php?id=CVE-2023-5515
01 Nov 2023 — The responses for web queries with certain parameters disclose internal path of resources. This information can be used to learn internal structure of the application and to further plot attacks against web servers and deployed web applications. Las respuestas a consultas web con ciertos parámetros revelan la ruta interna de los recursos. Esta información se puede utilizar para conocer la estructura interna de la aplicación y para planear más ataques contra servidores web y aplicaciones web implementadas. T... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000175&languageCode=en&Preview=true • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5514
https://notcve.org/view.php?id=CVE-2023-5514
01 Nov 2023 — The response messages received from the eSOMS report generation using certain parameter queries with full file path can be abused for enumerating the local file system structure. Se puede abusar de los mensajes de respuesta recibidos de la generación del informe eSOMS utilizando ciertas consultas de parámetros con la ruta completa del archivo para enumerar la estructura del sistema de archivos local. The response messages received from the eSOMS report generation using certain parameter queries with full fi... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000175&languageCode=en&Preview=true • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2622
https://notcve.org/view.php?id=CVE-2023-2622
01 Nov 2023 — Authenticated clients can read arbitrary files on the MAIN Computer system using the remote procedure call (RPC) of the InspectSetup service endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read. Los clientes autenticados pueden leer archivos arbitrarios en el sistema informático PRINCIPAL mediante Remote Procedure Call (RPC) del endpoint del servicio InspectSetup. Luego, el cliente con privilegios bajos puede leer archivos arbitrarios para lo... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2621
https://notcve.org/view.php?id=CVE-2023-2621
01 Nov 2023 — The McFeeder server (distributed as part of SSW package), is susceptible to an arbitrary file write vulnerability on the MAIN computer system. This vulnerability stems from the use of an outdated version of a third-party library, which is used to extract archives uploaded to McFeeder server. An authenticated malicious client can exploit this vulnerability by uploading a crafted ZIP archive via the network to McFeeder’s service endpoint. El servidor McFeeder (distribuido como parte del paquete SSW) es suscep... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •