CVE-2020-15784
https://notcve.org/view.php?id=CVE-2020-15784
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP8). Insecure storage of sensitive information in the configuration files could allow the retrieval of user names. Se ha identificado una vulnerabilidad en Spectrum Power 4 (todas las versiones anteriores a V4.70 SP8). El almacenamiento no seguro de información confidencial en los archivos de configuración podría permitir la recuperación de los nombres de usuario. • https://cert-portal.siemens.com/productcert/pdf/ssa-568969.pdf • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2019-10933
https://notcve.org/view.php?id=CVE-2019-10933
A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions < v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed.At the stage of publishing this security advisory no public exploitation is known. Se ha identificado una vulnerabilidad en Spectrum Power 3 (Interfaz de Usuario Corporativa) (Todas las versiones anteriores a v3.11 e incluida), Spectrum Power 4 (Interfaz de Usuario Corporativa) (versión v4.75), Spectrum Power 5 (Interfaz de Usuario Corporativa) (Todas las versiones anteriores a v5.50), Spectrum Power 7 (Interfaz de Usuario Corporativa) (Todas las versiones anteriores a v2.20 e incluida). • https://cert-portal.siemens.com/productcert/pdf/ssa-747162.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2019-6579
https://notcve.org/view.php?id=CVE-2019-6579
A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. • http://www.securityfocus.com/bid/107830 https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •