Page 4 of 31 results (0.011 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which a low-level user could extract files and plaintext credentials of administrator users, resulting in privilege escalation. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics InfraSuite Device Master. Authentication is required to exploit this vulnerability. The specific flaw exists within the gateway endpoint, which listens on TCP ports 80 and 443 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-522: Insufficiently Protected Credentials •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation. This vulnerability allows remote attackers to escalate privileges on affected installations of Delta Electronics InfraSuite Device Master. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Device-Gateway service, which listens on TCP port 3100 by default. The issue results from improper access control. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-863: Incorrect Authorization •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain an improper access control vulnerability, which could allow an attacker to retrieve Gateway configuration files to obtain plaintext credentials. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Device-Gateway service, which listens on TCP port 80 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Device-Gateway service, which listens on TCP port 3100 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 0

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the installed instance of Apache ActiveMQ, which utilizes an outdated version of the JDK. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • http://packetstormsecurity.com/files/172799/Delta-Electronics-InfraSuite-Device-Master-Deserialization.html https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 https://www.zerodayinitiative.com/advisories/ZDI-23-672 https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133 • CWE-502: Deserialization of Untrusted Data •