CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2019-5136
https://notcve.org/view.php?id=CVE-2019-5136
An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Se presenta una vulnerabilidad de escalada de privilegios explotable en la funcionalidad iw_console en Moxa AWK-3131A versión de firmware 1.13. Una cadena de selección de menú especialmente diseñada puede causar un escape de la consola restringida, resultando en un acceso al sistema como el usuario root. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0925 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2019-5142
https://notcve.org/view.php?id=CVE-2019-5142
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability. Se presenta una vulnerabilidad de inyección de comandos explotable en la funcionalidad hostname del Moxa AWK-3131A versión de firmware 1.13. Una entrada especialmente diseñada para la información de configuración de red puede causar una ejecución de comandos de sistema arbitraria, resultando en el control total del dispositivo. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0931 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1CVE-2019-5141
https://notcve.org/view.php?id=CVE-2019-5141
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Se presenta una vulnerabilidad de inyección de comandos explotable en la funcionalidad iw_webs del Moxa AWK-3131A versión de firmware 1.13. Un parámetro iw_serverip especialmente diseñado puede causar que la entrada del usuario sea reflejada en una llamada iw_system subsiguiente, resultando en un control remoto sobre el dispositivo. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0930 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-5140
https://notcve.org/view.php?id=CVE-2019-5140
An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Se presenta una vulnerabilidad de inyección de comandos explotable en la funcionalidad iwwebs del Moxa AWK-3131A versión de firmware 1.13. Un nombre de archivo script de diagnóstico especialmente diseñado puede causar que la entrada del usuario sea reflejada en una llamada iwsystem subsiguiente, resultando en un control remoto sobre el dispositivo. • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0929 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-8858 – Moxa MGate 5105-MB-EIP DestIP Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-8858
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. • https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability https://www.zerodayinitiative.com/advisories/ZDI-20-214 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •