CVSS: 6.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-1318 – Hills ComNav Inadequate Encryption Strength
https://notcve.org/view.php?id=CVE-2022-1318
Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. • https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf • CWE-203: Observable Discrepancy CWE-326: Inadequate Encryption Strength •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19762
https://notcve.org/view.php?id=CVE-2020-19762
Automated Logic Corporation (ALC) WebCTRL System 6.5 and prior allows remote attackers to execute any JavaScript code via a XSS payload for the first parameter in a GET request. Automated Logic Corporation (ALC) WebCTRL System versiones 6.5 y anteriores, permite a atacantes remotos ejecutar cualquier código JavaScript por medio de una carga útil XSS para el parámetro first en una petición GET • https://github.com/ismailerkek/CVEs/blob/main/CVE-2020-19762-RESERVED.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2018-8819 – WebCTRL Out-Of-Band XML Injection
https://notcve.org/view.php?id=CVE-2018-8819
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header. Se ha descubierto un problema de XEE (XML External Entity) en Automated Logic Corporation (ALC) WebCTRL en versiones 6.0, 6.1 y 6.5. Un atacante no autenticado podría introducir entradas maliciosas a WebCTRL y un analizador XML mal configurado permitirá que la aplicación revele el contenido total de los archivos del sistema operativo del servidor web subyacente mediante la cabecera HTTP "X-Wap-Profile". WebCTRL suffers from an out-of-band XML external entity injection vulnerability. • http://packetstormsecurity.com/files/148126/WebCTRL-Out-Of-Band-XML-Injection.html http://seclists.org/fulldisclosure/2018/Jun/21 https://hateshape.github.io/general/2018/06/07/CVE-2018-8819.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-5795
https://notcve.org/view.php?id=CVE-2016-5795
An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. Se descubrió una vulnerabilidad XXE en Automated Logic Corporation (ALC) Liebert SiteScan Web en versiones 6.5 y anteriores, ALC WebCTRL versión 6.5 y anteriores y Carrier i-Vu versión 6.5 y anteriores. Un atacante podría introducir valores entrantes maliciosos en WebCTRL, i-Vu o SiteScan Web a través de un analizador XML mal configurado para ejecutar código arbitrario o divulgar contenidos de archivos desde un servidor o red conectada. • http://www.securityfocus.com/bid/100558 https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 1CVE-2017-9650 – Automated Logic WebCTRL 6.5 - Unrestricted File Upload / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-9650
An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to upload a malicious file allowing the execution of arbitrary code. Se ha descubierto un problema de carga de archivos sin restricciones con tipos peligrosos en Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 y anteriores; ALC WebCTRL, SiteScan Web 6.1 y anteriores; ALC WebCTRL, i-Vu 6.0 y anteriores; ALC WebCTRL, i-Vu, SiteScan Web 5.5 y anteriores; y ALC WebCTRL, i-Vu, SiteScan Web 5.2 y anteriores. Un atacante autenticado podría ser capaz de subir un archivo malicioso que permita la ejecución de código arbitrario. Automated Logic WebCTRL version 6.5 suffers from an unrestricted file upload vulnerability that allows for remote code execution. • https://www.exploit-db.com/exploits/42544 http://www.securityfocus.com/bid/100452 https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •