CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2020-12013 – ICONICS Genesis64 TestQuery SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-12013
A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. Un cliente WCF especialmente diseñado que interactúa con el puede permitir la ejecución de determinados comandos SQL arbitrarios remotamente. Esto afecta: Mitsubishi Electric MC Works64 Versión 4.02C (10.95.208.31) y anteriores, todas las versiones; Mitsubishi Electric MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión v10.96 y anteriores; ICONICS GenBroker32 versión v9.5 y anteriores The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of requests to the TestQuery endpoint of the IcoFwxServer service. • https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 4%CPEs: 11EXPL: 0CVE-2020-12011 – ICONICS Genesis64 VariantClear Out-Of-Bounds Access Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-12011
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior. Un paquete de comunicación especialmente diseñado enviado a los sistemas afectados podría causar una condición de denegación de servicio o permitir una ejecución de código remota. Este problema afecta: Mitsubishi Electric MC Works64 versión 4.02C (10.95.208.31) y anteriores, todas las versiones; MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión 10.96 y anteriores; GenBroker32 versión 9.5 y anteriores This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of indexes. • https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2020-5594
https://notcve.org/view.php?id=CVE-2020-5594
Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules all versions contain a vulnerability that allows cleartext transmission of sensitive information between CPU modules and GX Works3 and/or GX Works2 via unspecified vectors. Todos los módulos de CPU de las series Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L y FX, contienen una vulnerabilidad que permite la transmisión de información confidencial entre módulos de CPU y GX Works3 y/o GX Works2 por medio de vectores no especificados • https://jvn.jp/en/vu/JVNVU91424496/index.html https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-003.pdf https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-003_en.pdf • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 42EXPL: 0CVE-2020-13238
https://notcve.org/view.php?id=CVE-2020-13238
Mitsubishi MELSEC iQ-R Series PLCs with firmware 33 allow attackers to halt the industrial process by sending an unauthenticated crafted packet over the network, because this denial of service attack consumes excessive CPU time. After halting, physical access to the PLC is required in order to restore production. Los PLC Mitsubishi MELSEC iQ-R Series con firmware 33, permiten a atacantes detener el proceso industrial mediante el envío de un paquete diseñado no autenticado a través de la red, porque este ataque de denegación de servicio consume un tiempo excesivo de la CPU. Después de detenerse, se requiere acceso físico al PLC para restaurar producción • http://jvn.jp/vu/JVNVU97662844/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-001_en.pdf https://www.us-cert.gov/ics/advisories/icsa-20-161-02 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 92EXPL: 0CVE-2020-5527
https://notcve.org/view.php?id=CVE-2020-5527
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions. Cuando el puerto de transmisión de MELSOFT (UDP/IP) de la serie Mitsubishi Electric MELSEC iQ-R (todas las versiones), la serie MELSEC iQ-F (todas las versiones), la serie MELSEC Q (todas las versiones), la serie MELSEC L (todas las versiones) y la serie MELSEC F (todas las versiones), recibe una cantidad masiva de datos por medio de vectores no especificados, un consumo de recursos se presenta y el puerto no procesa los datos apropiadamente. Como resultado, puede caer en una condición de denegación de servicio (DoS). • https://jvn.jp/en/vu/JVNVU91553662/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2019-005_en.pdf • CWE-400: Uncontrolled Resource Consumption •