CVE-2022-33318 – ICONICS GENESIS64 genbroker64 Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-33318
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows a remote unauthenticated attacker to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64 server. Una vulnerabilidad de Deserialización de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante remoto no autenticado ejecutar un código malicioso arbitrario mediante el envío de paquetes especialmente diseñados al servidor GENESIS64 This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GenBroker64 service. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the Administrator. • https://jvn.jp/vu/JVNVU96480474/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2022-33320 – ICONICS GENESIS64 PKGX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-33320
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. Una vulnerabilidad de Deserialización de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un código malicioso arbitrario al conllevar a un usuario a cargar un archivo de configuración de proyecto que incluye códigos XML maliciosos This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PKGX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://jvn.jp/vu/JVNVU96480474/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2022-33315 – ICONICS GENESIS64 GraphWorX64 TDFX File Parsing Deserialization Of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-33315
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. Una vulnerabilidad de Deserialización de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un código malicioso arbitrario al conllevar a un usuario a cargar un archivo de pantalla de monitoreo que incluye códigos XAML maliciosos This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TDFX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://jvn.jp/vu/JVNVU96480474/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2022-33317 – ICONICS GENESIS64 GDFX File Parsing Path Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-33317
Inclusion of Functionality from Untrusted Control Sphere vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious script codes. Una vulnerabilidad de Inclusión de Funcionalidad de la Esfera de Control No Confiable en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un código malicioso arbitrario al conllevar a un usuario a cargar un archivo de pantalla de monitoreo que incluye códigos de script maliciosos This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of GDFX files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the ICONICS_ADMIN user. • https://jvn.jp/vu/JVNVU96480474/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVE-2022-33316 – ICONICS GENESIS64 ColorPaletteEntry Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-33316
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. Una vulnerabilidad de Deserialización de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un código malicioso arbitrario al conllevar a un usuario a cargar un archivo de pantalla de monitoreo que incluye códigos XAML maliciosos This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of GDFX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://jvn.jp/vu/JVNVU96480474/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf • CWE-502: Deserialization of Untrusted Data •