CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1841 – Honeywell MPA2 Web Application XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-1841
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05. Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions correct the reported vulnerability. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Honeywell MPA2 Access Panel (módulos de servidor web) permite que XSS utilice caracteres no válidos. Este problema afecta a MPA2 Access Panel en todas las versiones anteriores a R1.00.08.05. Honeywell lanzó el paquete de actualización de firmware MPA2 R1.00.08.05 que soluciona esta vulnerabilidad. • https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices https://https://www.honeywell.com/us/en/product-security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1309 – Resource Consumption Identified in NTP before 4.2.4p8 and 4.2.5
https://notcve.org/view.php?id=CVE-2024-1309
Uncontrolled Resource Consumption vulnerability in Honeywell Niagara Framework on Windows, Linux, QNX allows Content Spoofing.This issue affects Niagara Framework: before Niagara AX 3.8.1, before Niagara 4.1. Vulnerabilidad de consumo de recursos no controlado en Honeywell Niagara Framework en Windows, Linux y QNX permite la suplantación de contenido. Este problema afecta a Niagara Framework: antes de Niagara AX 3.8.1, antes de Niagara 4.1. • https://process.honeywell.com https://www.honeywell.com/us/en/product-security https://www.kb.cert.org/vuls/id/417980 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5390
https://notcve.org/view.php?id=CVE-2023-5390
An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC. This exploit could be used to read files from the controller that may expose limited information from the device. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. Un atacante podría explotar esta vulnerabilidad, lo que provocaría la lectura de archivos desde Honeywell Experion ControlEdge VirtualUOC y ControlEdge UOC. • https://process.honeywell.com https://www.honeywell.com/us/en/product-security • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-36: Absolute Path Traversal •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5389
https://notcve.org/view.php?id=CVE-2023-5389
An attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC . This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. Un atacante podría explotar esta vulnerabilidad, lo que permitiría modificar archivos en Honeywell Experion VirtualUOC y UOC. • https://process.honeywell.com https://www.honeywell.com/us/en/product-security • CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6179 – Incorrect Permission assignment to program executable folders
https://notcve.org/view.php?id=CVE-2023-6179
Honeywell ProWatch, 4.5, including all Service Pack versions, contain a Vulnerability in Application Server's executable folder(s). A(n) attacker could potentially exploit this vulnerability, leading to a standard user to have arbitrary system code execution. Honeywell recommends updating to the most recent version of this product, service or offering (Pro-watch 6.0.2, 6.0, 5.5.2,5.0.5). Honeywell ProWatch 4.5, incluidas todas las versiones de Service Pack, contiene una vulnerabilidad en las carpetas ejecutables del servidor de aplicaciones. Un atacante podría explotar esta vulnerabilidad, lo que llevaría a que un usuario estándar ejecutara código de sistema arbitrario. • https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices https://www.honeywell.com/us/en/product-security • CWE-732: Incorrect Permission Assignment for Critical Resource •