Page 3 of 83 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists. Emerson Electrics Proficy Machine Edition versiones 9.00 y anteriores, es vulnerable a CWE-284 Control de Acceso Inapropiado, y almacena los datos del proyecto en un directorio con listas de control de acceso inapropiadas. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06 • CWE-284: Improper Access Control •

CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0

Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code. Emerson Electrics Proficy Machine Edition versiones 9.80 y anteriores, es vulnerable a CWE-29 Salto de Ruta: '\..\Filename", también se conoce como ataque ZipSlip, mediante un procedimiento de carga que permite a atacantes implantar un archivo .BLZ malicioso en el PLC. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29: Path Traversal: '\..\filename' •

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks. Las RTUs de Emerson ControlWave "Next Generation" versiones hasta 02-05-2022, manejan inapropiadamente la integridad del firmware. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-02 https://www.forescout.com/blog • CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0

The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the flash filesystem and carrying out arbitrary file and directory read, write, and delete operations. Las líneas de productos ROC y FloBoss RTU de Emerson versiones hasta 02-05-2022, llevan a cabo operaciones no seguras en el sistema de archivos. Usan el protocolo ROC (4000/TCP, 5000/TCP) para las comunicaciones entre un terminal maestro y las RTU. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-223-04 https://www.forescout.com/blog • CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0

Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism. Emerson OpenBSI versiones hasta 29-04-2022, maneja inapropiadamente el almacenamiento de credenciales. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-03 https://www.forescout.com/blog • CWE-522: Insufficiently Protected Credentials •