CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-10692
https://notcve.org/view.php?id=CVE-2018-10692
An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. Fue encontrado un problema en los dispositivos Moxa AWK-3121 versión 1.14. La cookie de sesión "Password508" no presenta una bandera HttpOnly. • http://packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.html https://github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121 https://seclists.org/bugtraq/2019/Jun/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2018-10691
https://notcve.org/view.php?id=CVE-2018-10691
An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. Fue encontrado un problema en los dispositivos Moxa AWK-3121 versión 1.14. Se pretende que un administrador pueda descargar el archivo /SystemLog.log (el registro de sistema). • http://packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.html https://github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121 https://seclists.org/bugtraq/2019/Jun/8 • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 1%CPEs: 2EXPL: 2CVE-2018-10690
https://notcve.org/view.php?id=CVE-2018-10690
An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. Fue encontrado un problema en los dispositivos Moxa AWK-3121 versión 1.14. El dispositivo por defecto permite el tráfico HTTP así que proporciona un mecanismo de comunicación no seguro para un usuario que conecta con el servidor Web. • http://packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.html https://github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121 https://seclists.org/bugtraq/2019/Jun/8 • CWE-311: Missing Encryption of Sensitive Data •