CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-33316 – ICONICS GENESIS64 ColorPaletteEntry Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-33316
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. Una vulnerabilidad de Deserialización de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un código malicioso arbitrario al conllevar a un usuario a cargar un archivo de pantalla de monitoreo que incluye códigos XAML maliciosos This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of GDFX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://jvn.jp/vu/JVNVU96480474/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23127
https://notcve.org/view.php?id=CVE-2022-23127
Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. Una vulnerabilidad de tipo Cross-site Scripting en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores, y en ICONICS MobileHMI versiones 10.96.2 y anteriores, permite a un atacante remoto no autenticado conseguir información de autenticación de un MC Works64 o MobileHMI y llevar a cabo cualquier operación usando la información de autenticación adquirida, inyectando un script malicioso en la URL de una pantalla de monitorización entregada desde el servidor MC Works64 o el servidor MobileHMI a una aplicación para dispositivos móviles y llevando a un usuario legítimo a acceder a esta URL • https://jvn.jp/vu/JVNVU95403720/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23129
https://notcve.org/view.php?id=CVE-2022-23129
Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information. Una vulnerabilidad de almacenamiento de texto plano de una contraseña en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores y en ICONICS GENESIS64 versiones 10.90 a 10.97, permite a un atacante local autenticado conseguir información de autenticación y acceder a la base de datos de forma ilegal. Esto es debido a que cuando la información de configuración de GridWorX, una función de enlace de bases de datos de GENESIS64 y MC Works64, es exportada a un archivo CSV, la información de autenticación es guardada en texto plano, y un atacante que pueda acceder a este archivo CSV puede conseguir la información de autenticación • https://jvn.jp/vu/JVNVU95403720/index.html https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 47EXPL: 0CVE-2021-27041 – ICONICS GENESIS64 DWG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-27041
A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. This vulnerability can be exploited to execute arbitrary code Un archivo DWG malicioso puede ser utilizado para escribir más allá del buffer asignado mientras se analizan los archivos DWG. Esta vulnerabilidad puede ser explotada para ejecutar código arbitrario This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. • https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0007 • CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 43EXPL: 0CVE-2021-27040 – ICONICS GENESIS64 DWG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-27040
A maliciously crafted DWG file can be forced to read beyond allocated boundaries when parsing the DWG file. This vulnerability can be exploited to execute arbitrary code. Un archivo DWG diseñado maliciosamente puede ser forzado a leer más allá de los límites asignados al analizar el archivo DWG. Esta vulnerabilidad puede ser explotada para ejecutar código arbitrario This vulnerability allows remote attackers to disclose sensitive information on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. • https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0004 https://www.zerodayinitiative.com/advisories/ZDI-21-1236 https://www.zerodayinitiative.com/advisories/ZDI-21-1238 https://www.zerodayinitiative.com/advisories/ZDI-22-378 https://www.zerodayinitiative.com/advisories/ZDI-22-473 • CWE-125: Out-of-bounds Read •