CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-36549 – GE Voluson S8 Windows Operating System Patches privileges management
https://notcve.org/view.php?id=CVE-2020-36549
17 Jun 2022 — A vulnerability classified as critical was found in GE Voluson S8. Affected is the underlying Windows XP operating system. Missing patches might introduce an excessive attack surface. Access to the local network is required for this attack to succeed. Se ha encontrado una vulnerabilidad clasificada como crítica en GE Voluson S8. • https://vuldb.com/?id.129835 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-36548 – GE Voluson S8 Service Browser users.cgi improper authentication
https://notcve.org/view.php?id=CVE-2020-36548
17 Jun 2022 — A vulnerability classified as problematic has been found in GE Voluson S8. Affected is the file /uscgi-bin/users.cgi of the Service Browser. The manipulation leads to improper authentication and elevated access possibilities. It is possible to launch the attack on the local host. Se ha encontrado una vulnerabilidad clasificada como problemática en GE Voluson S8. • https://vuldb.com/?id.129834 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-36547 – GE Voluson S8 Service Browser hard-coded credentials
https://notcve.org/view.php?id=CVE-2020-36547
17 Jun 2022 — A vulnerability was found in GE Voluson S8. It has been rated as critical. This issue affects the Service Browser which itroduces hard-coded credentials. Attacking locally is a requirement. It is recommended to change the configuration settings. • https://vuldb.com/?id.129833 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44477 – GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2021-44477
25 Mar 2022 — GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. GE Gas Power ToolBoxST Versión v04.07.05C, sufre una vulnerabilidad de tipo XML external entity (XXE) usando la técnica de e... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-025-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 38EXPL: 0CVE-2021-27422 – GE UR family exposure of sensitive information to an unauthorized actor
https://notcve.org/view.php?id=CVE-2021-27422
23 Mar 2022 — GE UR firmware versions prior to version 8.1x web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication. GE UR versiones de firmware anteriores a versión 8.1x, admiten la interfaz del servidor web en la UR a través del protocolo HTTP. Permite una exposición de información confidencial sin autenticación • https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 38EXPL: 0CVE-2021-27426 – GE UR family insecure default variable initialization
https://notcve.org/view.php?id=CVE-2021-27426
23 Mar 2022 — GE UR IED firmware versions prior to version 8.1x with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user. GE UR IED versiones de firmware anteriores a versión 8.1x con la variante de seguridad "Basic" no permiten deshabilitar el "Factory Mode", que es usado para el mantenimiento del IED por parte de un usuario "Factory" • https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 • CWE-453: Insecure Default Variable Initialization •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27430 – GE UR family hardcoded credentials
https://notcve.org/view.php?id=CVE-2021-27430
23 Mar 2022 — GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR. Las versiones 7.00, 7.01 y 7.02 del binario del cargador de arranque GE UR incluían credenciales embebidas no usadas. Además, un usuario con acceso físico al IED de la UR puede interrumpir la secuencia de arranque al reiniciar la UR • https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 0%CPEs: 38EXPL: 0CVE-2021-27428 – GE UR family Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2021-27428
23 Mar 2022 — GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. IED GE UR versiones de firmware anteriores a versión 8.1x, admiten la actualización del firmware mediante la herra... • https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 38EXPL: 0CVE-2021-27424 – GE UR family exposure of sensitive information to an unauthorized actor
https://notcve.org/view.php?id=CVE-2021-27424
23 Mar 2022 — GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information. GE UR versiones de firmware anteriores a versión 8.1x, comparten el mapa de memoria MODBUS como parte de la guía de comunicaciones. GE se dio cuenta de que un registro MODBUS de "última tecla pulsada" puede usarse para obtener información no autorizada • https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.3EPSS: 0%CPEs: 38EXPL: 0CVE-2021-27420 – GE UR family input validation
https://notcve.org/view.php?id=CVE-2021-27420
23 Mar 2022 — GE UR firmware versions prior to version 8.1x web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported HTTP requests. When unresponsive, the web server is inaccessible. By itself, this is not particularly significant as the relay remains effective in all other functionality and communication channels. GE UR versiones de firmware anteriores a versión 8.1x, de la tarea del servidor web no m... • https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 • CWE-20: Improper Input Validation •