CVSS: 7.8EPSS: 0%CPEs: 36EXPL: 0CVE-2023-1150 – WAGO: Series 750-3x/-8x prone to MODBUS server DoS
https://notcve.org/view.php?id=CVE-2023-1150
26 Jun 2023 — Uncontrolled resource consumption in Series WAGO 750-3x/-8x products may allow an unauthenticated remote attacker to DoS the MODBUS server with specially crafted packets. • https://cert.vde.com/en/advisories/VDE-2023-005 • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 6.1EPSS: 0%CPEs: 202EXPL: 0CVE-2023-1620 – WAGO: DoS in multiple products in multiple versions using Codesys
https://notcve.org/view.php?id=CVE-2023-1620
26 Jun 2023 — Multiple WAGO devices in multiple versions may allow an authenticated remote attacker with high privileges to DoS the device by sending a specifically crafted packet to the CODESYS V2 runtime. • https://cert.vde.com/en/advisories/VDE-2023-006 • CWE-20: Improper Input Validation CWE-1288: Improper Validation of Consistency within Input •
CVSS: 6.1EPSS: 0%CPEs: 202EXPL: 0CVE-2023-1619 – WAGO: DoS in multiple versions of multiple products
https://notcve.org/view.php?id=CVE-2023-1619
26 Jun 2023 — Multiple WAGO devices in multiple versions may allow an authenticated remote attacker with high privileges to DoS the device by sending a malformed packet. • https://cert.vde.com/en/advisories/VDE-2023-006 • CWE-20: Improper Input Validation CWE-1288: Improper Validation of Consistency within Input •
CVSS: 10.0EPSS: 93%CPEs: 14EXPL: 7CVE-2023-1698 – WAGO: WBM Command Injection in multiple products
https://notcve.org/view.php?id=CVE-2023-1698
15 May 2023 — In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise. • https://packetstorm.news/files/id/200871 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 1%CPEs: 28EXPL: 0CVE-2022-45140 – WAGO: Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2022-45140
27 Feb 2023 — The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 28EXPL: 0CVE-2022-45139 – WAGO: Origin validation error through CORS misconfiguration
https://notcve.org/view.php?id=CVE-2022-45139
27 Feb 2023 — A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 28EXPL: 0CVE-2022-45138 – WAGO: Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2022-45138
27 Feb 2023 — The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.4EPSS: 0%CPEs: 28EXPL: 0CVE-2022-45137 – WAGO: Reflective Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-45137
27 Feb 2023 — The configuration backend of the web-based management is vulnerable to reflected XSS (Cross-Site Scripting) attacks that targets the users browser. This leads to a limited impact of confidentiality and integrity but no impact of availability. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3843 – WAGO: Exposure of configuration interface in unmanaged switches
https://notcve.org/view.php?id=CVE-2022-3843
16 Feb 2023 — In WAGO Unmanaged Switch (852-111/000-001) in firmware version 01 an undocumented configuration interface without authorization allows an remote attacker to read system information and configure a limited set of parameters. • https://cert.vde.com/en/advisories/VDE-2022-055 • CWE-912: Hidden Functionality •
CVSS: 5.9EPSS: 0%CPEs: 14EXPL: 0CVE-2022-3738 – WAGO: Missing authentication for config export functionality in multiple products
https://notcve.org/view.php?id=CVE-2022-3738
19 Jan 2023 — The vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup after the last reboot for this attack to be successfull. La vulnerabilidad permite a un atacante remoto no autenticado descargar un archivo de copia de seguridad, si existe. Ese archivo de copia de seguridad puede contener información confidencial, como credenciales y material... • https://cert.vde.com/en/advisories/VDE-2022-054 • CWE-306: Missing Authentication for Critical Function •