CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-6530 – Panasonic Control FPWIN PRO Project File Parsing sc_app Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-6530
Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created project files to be loaded by an authenticated user causing heap-based buffer overflows, which may lead to remote code execution. Panasonic FPWIN Pro, versión 7.3.0.0 y anteriores permite que los archivos de proyecto creados por el atacante sean cargados por un usuario autorizado causando desbordamientos de búfer en la región heap de la memoria, lo que puede conducir a la ejecución de código remota. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Panasonic Control FPWin Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. • http://www.securityfocus.com/bid/108683 https://ics-cert.us-cert.gov/advisories/ICSA-19-157-02 https://www.zerodayinitiative.com/advisories/ZDI-19-565 https://www.zerodayinitiative.com/advisories/ZDI-19-567 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0676
https://notcve.org/view.php?id=CVE-2018-0676
BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to bypass authentication to access to the management screen and execute an arbitrary command via unspecified vectors. BN-SDWBP3, con firmware 1.0.9 y anteriores, permite a un atacante en el mismo segmento de red omitir la autenticación para acceder a la pantalla de gestión y ejecutar un comando arbitrario mediante vectores sin especificar. • https://jvn.jp/en/jp/JVN65082538/index.html https://p3.support.panasonic.com/faq/show/5017?&site_domain=p3 • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0678
https://notcve.org/view.php?id=CVE-2018-0678
Buffer overflow in BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to execute arbitrary code via unspecified vectors. Un desbordamiento de búfer en BN-SDWBP3, con firmware 1.0.9 y anteriores, permite a un atacante con permisos de administrador en el mismo segmento de red ejecutar código arbitrario mediante vectores sin especificar. • https://jvn.jp/en/jp/JVN65082538/index.html https://p3.support.panasonic.com/faq/show/5017?&site_domain=p3 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2018-16183
https://notcve.org/view.php?id=CVE-2018-16183
An unquoted search path vulnerability in some pre-installed applications on Panasonic PC run on Windows 7 (32bit), Windows 7 (64bit), Windows 8 (64bit), Windows 8.1 (64bit), Windows 10 (64bit) delivered in or later than October 2009 allow local users to gain privileges via a Trojan horse executable file and execute arbitrary code with eleveted privileges. Una vulnerabilidad de ruta de búsqueda sin entrecomillar en algunas aplicaciones preinstaladas en Panasonic PC, ejecutando Windows 7 (32bit), Windows 7 (64bit), Windows 8 (64bit), Windows 8.1 (64bit) y Windows 10 (64bit), publicadas después de octubre de 2009, permite que los usuarios locales obtengan privilegios mediante un archivo ejecutable troyano y ejecuten código arbitrario con privilegios elevados. • https://jvn.jp/en/jp/JVN36895151/index.html https://pc-dl.panasonic.co.jp/dl/docs/077770 • CWE-428: Unquoted Search Path or Element •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0677
https://notcve.org/view.php?id=CVE-2018-0677
BN-SDWBP3 firmware version 1.0.9 and earlier allows attacker with administrator rights on the same network segment to execute arbitrary OS commands via unspecified vectors. BN-SDWBP3, con firmware 1.0.9 y anteriores, permite a un atacante con permisos de administrador en el mismo segmento de red ejecutar comandos arbitrarios del sistema operativo mediante vectores sin especificar. • https://jvn.jp/en/jp/JVN65082538/index.html https://p3.support.panasonic.com/faq/show/5017?&site_domain=p3 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •