CVSS: 7.8EPSS: 0%CPEs: 16EXPL: 0CVE-2023-22435 – Server bad parsing implementation - stack overflow in server::get_db_path_for_driver
https://notcve.org/view.php?id=CVE-2023-22435
13 Jul 2023 — Experion server may experience a DoS due to a stack overflow when handling a specially crafted message. • https://process.honeywell.com • CWE-697: Incorrect Comparison CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3243
https://notcve.org/view.php?id=CVE-2023-3243
28 Jun 2023 — [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be remove... • https://www.honeywell.com/us/en/product-security • CWE-290: Authentication Bypass by Spoofing CWE-326: Inadequate Encryption Strength •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-46361 – Physical access to the WDM enables use of USB device to gain access to the WDM
https://notcve.org/view.php?id=CVE-2022-46361
30 May 2023 — An attacker having physical access to WDM can plug USB device to gain access and execute unwanted commands. A malicious user could enter a system command along with a backup configuration, which could result in the execution of unwanted commands. This issue affects OneWireless all versions up to 322.1 and fixed in version 322.2. An attacker having physical access to WDM can plug USB device to gain access and execute unwanted commands. A malicious user could enter a system command along with a backup configu... • https://process.honeywell.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43485 – Insecure random number used for generating keys for signing Jwt tokens
https://notcve.org/view.php?id=CVE-2022-43485
30 May 2023 — Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. This issue affects OneWireless version 322.1 Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. This issue affects OneWireless version 322.1 • https://process.honeywell.com • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-4240 – Unauthenticated API allowing an attacker to obtain the information about network resources
https://notcve.org/view.php?id=CVE-2022-4240
30 May 2023 — Missing Authentication for Critical Function vulnerability in Honeywell OneWireless allows Authentication Bypass. This issue affects OneWireless version 322.1 Missing Authentication for Critical Function vulnerability in Honeywell OneWireless allows Authentication Bypass. This issue affects OneWireless version 322.1 • https://process.honeywell.com • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2021-38397 – Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2021-38397
28 Oct 2022 — Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. Los controladores Honeywell Experion PKS C200, C200E, C300 y ACE son vulnerables a la carga de archivos sin restricciones, lo que puede permitir a un atacante ejecutar código arbitrario de forma remota y provocar una condición de Denegación de Servicio. • https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2021-38395 – Honeywell Experion PKS and ACE Controllers Injection
https://notcve.org/view.php?id=CVE-2021-38395
28 Oct 2022 — Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. Los controladores Honeywell Experion PKS C200, C200E, C300 y ACE son vulnerables a una neutralización inadecuada de elementos especiales en la salida, lo que puede permitir a un atacante ejecutar código arbitrario de forma remota y provocar una condición de Denegación de S... • https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-38399 – Honeywell Experion PKS and ACE Controllers Relative Path Traversal
https://notcve.org/view.php?id=CVE-2021-38399
28 Oct 2022 — Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories. Los controladores Honeywell Experion PKS C200, C200E, C300 y ACE son vulnerables al Path Traversal relativa, lo que puede permitir que un atacante acceda a archivos y directorios no autorizados. • https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2332 – Honeywell SoftMaster Incorrect Permission Assignment for Critical Resource
https://notcve.org/view.php?id=CVE-2022-2332
16 Sep 2022 — A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment. Un atacante local no privilegiado puede escalar a privilegios de administrador en Honeywell SoftMaster versión 4.51, debido a una asignación no segura de permisos • https://www.cisa.gov/uscert/ics/advisories/icsa-22-256-02 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-2333 – Honeywell SoftMaster Uncontrolled Search Path Element
https://notcve.org/view.php?id=CVE-2022-2333
16 Sep 2022 — If an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in Honeywell SoftMaster version 4.51 application’s context and permissions. Si un atacante logra engañar a un usuario válido para que cargue una DLL maliciosa, el atacante puede lograr la ejecución de código en el contexto y los permisos de la aplicación Honeywell SoftMaster versión 4.51 • https://github.com/shirouQwQ/CVE-2022-2333 • CWE-427: Uncontrolled Search Path Element •