CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2847
https://notcve.org/view.php?id=CVE-2015-2847
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream. Vulnerabilidad en Honeywell Tuxedo Touch en versiones anteriores a 5.2.19.0_VA, que confía en la autenticación en el lado del cliente con JavaScript, el cual permite a atacantes remotos evitar las restricciones destinadas al acceso eliminando las solicitudes USERACCT del flujo de datos cliente-servidor. • http://www.kb.cert.org/vuls/id/857948 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 1%CPEs: 8EXPL: 1CVE-2015-0984
https://notcve.org/view.php?id=CVE-2015-0984
Directory traversal vulnerability in the FTP server on Honeywell Excel Web XL1000C50 52 I/O, XL1000C100 104 I/O, XL1000C500 300 I/O, XL1000C1000 600 I/O, XL1000C50U 52 I/O UUKL, XL1000C100U 104 I/O UUKL, XL1000C500U 300 I/O UUKL, and XL1000C1000U 600 I/O UUKL controllers before 2.04.01 allows remote attackers to read files under the web root, and consequently obtain administrative login access, via a crafted pathname. Vulnerabilidad de salto de directorio en el servidor FTP en los controladores Honeywell Excel Web XL1000C50 52 I/O, XL1000C100 104 I/O, XL1000C500 300 I/O, XL1000C1000 600 I/O, XL1000C50U 52 I/O UUKL, XL1000C100U 104 I/O UUKL, XL1000C500U 300 I/O UUKL, y XL1000C1000U 600 I/O UUKL anterior a 2.04.01 permite a atacantes remotos leer ficheros bajo el root web, y como consecuencia obtener acceso al inicio de sesión de administración, a través de un nombre de ruta manipulado. • http://seclists.org/fulldisclosure/2015/Apr/79 https://ics-cert.us-cert.gov/advisories/ICSA-15-076-02 https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 31%CPEs: 1EXPL: 0CVE-2014-8269 – Honeywell OPOS Suite HWOPOSScale.ocx Open Method Stack Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-8269
Multiple stack-based buffer overflows in (1) HWOPOSScale.ocx and (2) HWOPOSSCANNER.ocx in Honeywell OPOS Suite before 1.13.4.15 allow remote attackers to execute arbitrary code via a crafted file that is improperly handled by the Open method. Múltiples desbordamientos de buffer basado en pila en (1) HWOPOSScale.ocx y (2) HWOPOSSCANNER.ocx en Honeywell OPOS Suite anteriores a 1.13.4.15, permiten a atacantes remotos ejecutar código arbitrario a través de un fichero manipulado que es manejado de forma indebida por el método Open. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Honeywell OPOS Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the HWOPOSScale.ocx. The control does not check the length of an attacker-supplied string to the Open method before copying it into a fixed length buffer on the stack. • http://www.kb.cert.org/vuls/id/659684 http://www.zerodayinitiative.com/advisories/ZDI-14-423 http://www.zerodayinitiative.com/advisories/ZDI-14-424 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2014-3110 – Honeywell XL Web Controller - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3110
Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input. Múltiples vulnerabilidades de XSS en los dispositivos controladores Honeywell FALCON XLWeb Linux 2.04.01 y anteriores y los dispositivos controladores FALCON XLWeb XLWebExe 2.02.11 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrariios a través de entradas inválidas. Honeywell XL Web Controller suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/44749 http://ics-cert.us-cert.gov/advisories/ICSA-14-175-01 http://www.securityfocus.com/bid/68838 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2717
https://notcve.org/view.php?id=CVE-2014-2717
Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to bypass authentication and obtain administrative access by visiting the change-password page. Los dispositivos controladores Honeywell FALCON XLWeb Linux 2.04.01 y anteriores y los dispositivos controladores FALCON XLWeb XLWebExe 2.02.11 y anetriores permiten a atacantes remotos evadir la autenticación y obtener el acceso administrativo mediante la visita a la página del cambio de contraseña. • http://ics-cert.us-cert.gov/advisories/ICSA-14-175-01 •