CVE-2023-33239 – Second Order Command-injection Vulnerability in the Key-generation Function
https://notcve.org/view.php?id=CVE-2023-33239
TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from insufficient input validation in the key-generation function, which could potentially allow malicious users to execute remote code on affected devices. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-33238 – Command-injection Vulnerability in Certificate Management
https://notcve.org/view.php?id=CVE-2023-33238
TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from inadequate input validation in the certificate management function, which could potentially allow malicious users to execute remote code on affected devices. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-33237 – Authentication Bypass Without Administrator Privilege
https://notcve.org/view.php?id=CVE-2023-33237
TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to execute restricted actions that only high-privileged APIs are allowed This presents a potential risk of unauthorized exploitation by malicious actors. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVE-2023-3336 – TN-5900 Series User Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2023-3336
TN-5900 Series version 3.3 and prior versions is vulnearble to user enumeration vulnerability. The vulnerability may allow a remote attacker to determine whether a user is valid during password recovery through the web login page and enable a brute force attack with valid users. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230401-tn-5900-series-user-enumeration-vulnerability • CWE-203: Observable Discrepancy CWE-204: Observable Response Discrepancy •
CVE-2021-46559 – Moxa TN-5900 Firmware Upgrade Checksum Validation
https://notcve.org/view.php?id=CVE-2021-46559
The firmware on Moxa TN-5900 devices through 3.1 has a weak algorithm that allows an attacker to defeat an inspection mechanism for integrity protection. El firmware de los dispositivos Moxa TN-5900 versiones hasta 3.1, presenta un algoritmo débil que permite a un atacante vencer un mecanismo de inspección para la protección de la integridad Moxa TN-5900 versions 3.1.0 and below use an insecure method to validate firmware updates. A malicious user with access to the management interface can upload arbitrary code in a crafted • https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilities • CWE-345: Insufficient Verification of Data Authenticity •