CVE-2023-37545 – CODESYS: Improper Input Validation in CmpApp component
https://notcve.org/view.php?id=CVE-2023-37545
In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550 • https://cert.vde.com/en/advisories/VDE-2023-019 • CWE-20: Improper Input Validation •
CVE-2023-3662 – CODESYS: Vulnerability in CODESYS Development System allows for execution of binaries
https://notcve.org/view.php?id=CVE-2023-3662
In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users context . • https://cert.vde.com/en/advisories/VDE-2023-021 • CWE-427: Uncontrolled Search Path Element •
CVE-2023-3663 – CODESYS: Missing integrity check in CODESYS Development System
https://notcve.org/view.php?id=CVE-2023-3663
In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of CODESYS Development System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the LearnMoreAction function. The issue results from a missing integrity check on notification data. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://cert.vde.com/en/advisories/VDE-2023-022 • CWE-345: Insufficient Verification of Data Authenticity CWE-940: Improper Verification of Source of a Communication Channel •
CVE-2022-4224 – CODESYS: Exposure of Resource to Wrong Sphere in CODESYS V3
https://notcve.org/view.php?id=CVE-2022-4224
In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device. • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17553&token=cf49757d232ea8021f0c0dd6c65e71ea5942b12d&download= • CWE-1188: Initialization of a Resource with an Insecure Default •
CVE-2022-30792 – CODESYS: CmpChannelServer, CmpChannelServerEmbedded allow unauthenticated attackers to block all their available communication channels
https://notcve.org/view.php?id=CVE-2022-30792
In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected. En CmpChannelServer de CODESYS versión V3 en múltiples versiones un consumo no controlado de recursos permite a un atacante no autorizado bloquear nuevas conexiones de canales de comunicación. Las conexiones existentes no están afectadas • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17128&token=bee4d8a57f19be289d623ec90135493b5f9179e3&download= • CWE-400: Uncontrolled Resource Consumption •