CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-16244
https://notcve.org/view.php?id=CVE-2020-16244
23 Sep 2020 — GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data and then retrieve the actual passwords. GE Digital APM Classic, versiones 4.4 y anteriores. La Sal no es usada para el cálculo del hash de contraseñas, haciendo posible descifrar contraseñas. • https://us-cert.cisa.gov/ics/advisories/icsa-20-266-01 • CWE-759: Use of a One-Way Hash without a Salt •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-12017
https://notcve.org/view.php?id=CVE-2020-12017
02 Jun 2020 — GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the 'configuration' user account, allowing the attacke... • https://www.us-cert.gov/ics/advisories/icsa-20-154-05 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6992
https://notcve.org/view.php?id=CVE-2020-6992
15 Apr 2020 — A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to G... • https://www.us-cert.gov/ics/advisories/icsa-20-098-02 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13559
https://notcve.org/view.php?id=CVE-2019-13559
07 Apr 2020 — GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process. GE recommends that users reset controller passwords during installation in the operating envir... • https://www.us-cert.gov/ics/advisories/icsa-19-281-02 • CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13554
https://notcve.org/view.php?id=CVE-2019-13554
07 Apr 2020 — GE Mark VIe Controller has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials. GE recommends that users disable the Telnet service. GE Mark VIe Controller posee un protocolo Telnet no seguro que puede permitir a un usuario crear una sesión autenticada usando credenciales predeterminadas genéricas. GE recomienda que los usuarios deshabiliten el servicio Telnet. • https://www.us-cert.gov/ics/advisories/icsa-19-281-02 • CWE-285: Improper Authorization •
CVSS: 7.2EPSS: 0%CPEs: 32EXPL: 0CVE-2020-6977
https://notcve.org/view.php?id=CVE-2020-6977
20 Feb 2020 — A restricted desktop environment escape vulnerability exists in the Kiosk Mode functionality of affected devices. Specially crafted inputs can allow the user to escape the restricted environment, resulting in access to the underlying operating system. Affected devices include the following GE Ultrasound Products: Vivid products - all versions; LOGIQ - all versions not including LOGIQ 100 Pro; Voluson - all versions; Versana Essential - all versions; Invenia ABUS Scan station - all versions; Venue - all vers... • https://www.us-cert.gov/ics/advisories/icsma-20-049-02 • CWE-20: Improper Input Validation CWE-693: Protection Mechanism Failure •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 1CVE-2012-6663 – General Electric D20 Password Recovery
https://notcve.org/view.php?id=CVE-2012-6663
23 Jan 2020 — General Electric D20ME devices are not properly configured and reveal plaintext passwords. Los dispositivos General Electric D20ME, no están configurados apropiadamente y revelan contraseñas en texto plano. • https://packetstorm.news/files/id/180602 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 1%CPEs: 4EXPL: 0CVE-2019-18267
https://notcve.org/view.php?id=CVE-2019-18267
18 Dec 2019 — An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution. Se detectó un problema en GE S2020/S2020G Fast Switch 6185... • https://www.us-cert.gov/ics/advisories/icsa-19-351-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2019-10966
https://notcve.org/view.php?id=CVE-2019-10966
10 Jul 2019 — In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms. En Aestiva y Aespire de GE versiones 7100 y 7900, se presenta una vulnerabilidad donde los dispositivos seriales son conectados por medio de un servidor terminal no seguro agregado a una configuración de red TCP/IP, lo que podría permitir a... • http://www.securityfocus.com/bid/109102 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6566
https://notcve.org/view.php?id=CVE-2019-6566
09 May 2019 — GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to replace the uninstaller with a malicious version, which could allow an attacker to gain administrator privileges to the system. GE Communicator, en todas las versiones anteriores a la 4.0.517, permite que un usuario no administrativo reemplace el desinstalador con una versión maliciosa,que podría permitir a un atacante conseguir privilegios de administrador del sistema. • https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 • CWE-284: Improper Access Control •