CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6544
https://notcve.org/view.php?id=CVE-2019-6544
09 May 2019 — GE Communicator, all versions prior to 4.0.517, has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the execution of scheduled scripts with system administrator privileges. This service is inaccessible to attackers if Windows default firewall settings are used by the end user. GE Communicator, todas las versiones anteriores a 4.0.517, permite que un atacante ponga archivos maliciosos en el directorio de trabajo del progr... • https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6548
https://notcve.org/view.php?id=CVE-2019-6548
09 May 2019 — GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user. GE Communicator, todas las versiones anteriores a 4.0.517, contiene dos cuentas backdoor con credenciales cifradas, que pueden permitir control de la base de datos. Este servicio es inaccesible para atacantes si el usuario final usa la configuración por def... • https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6546
https://notcve.org/view.php?id=CVE-2019-6546
09 May 2019 — GE Communicator, all versions prior to 4.0.517, allows an attacker to place malicious files within the working directory of the program, which may allow an attacker to manipulate widgets and UI elements. En DoBox_CstmBox_Info.model.htm en los dispositivos Kyocera TASKalfa versión 4002i y versión 6002i, permite a los atacantes remotos leer los documentos de usuarios arbitrarios por medio de una petición HTTP modificada. • https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6564
https://notcve.org/view.php?id=CVE-2019-6564
09 May 2019 — GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to place malicious files within the installer file directory, which may allow an attacker to gain administrative privileges on a system during installation or upgrade. En GE Communicator, todas las versiones anteriores a 4.0.517, permite que un usuario no administrativo ponga archivos maliciosos en el directorio del archivo del instalador, que puede permitir a un atacante conseguir privilegios administrativos en un sistema dura... • https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2018-19003
https://notcve.org/view.php?id=CVE-2018-19003
14 Dec 2018 — GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails to restrict the ability of an attacker to gain access to restricted information. GE Mark VIe, EX2100e, EX2100e_Reg, y LS2100e desde la versión 03.03.28C hasta la 05.02.04C, EX2100e en todas las versiones anterio... • http://www.securityfocus.com/bid/106216 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-15362
https://notcve.org/view.php?id=CVE-2018-15362
07 Dec 2018 — XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 XEE (XML External Entity) en GE Proficy Cimplicity GDS en versiones 9.0 R2, 9.5 y 10.0. • http://www.securityfocus.com/bid/106133 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17925
https://notcve.org/view.php?id=CVE-2018-17925
10 Oct 2018 — Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted. Múltiples instancias... • http://www.securityfocus.com/bid/105540 • CWE-623: Unsafe ActiveX Control Marked Safe For Scripting •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7908
https://notcve.org/view.php?id=CVE-2017-7908
02 Oct 2018 — A heap-based buffer overflow exists in the third-party product Gigasoft, v5 and prior, included in GE Communicator 3.15 and prior. A malicious HTML file that loads the ActiveX controls can trigger the vulnerability via unchecked function calls. Existe un desbordamiento de búfer basado en memoria dinámica (heap) en el producto de terceros Gigasoft, en versiones v5 y anteriores, que está incluido en GE Communicator en versiones 3.15 y anteriores. Un archivo HTML malicioso que carga los controles ActiveX puede... • http://www.securityfocus.com/bid/99580 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-10613 – GE MDS PulseNET IntegrationXMLProcessorServlet UpdateProblemTickets XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-10613
04 Jun 2018 — Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior. Podrían emplearse múltiples variantes de ataques XEE (XML External Entity) para exfiltrar datos de la plataforma host de Windows en GE MDS PulseNET y MDS PulseNET Enterprise en versiones 3.2.1 y anteriores. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of GE MDS P... • http://www.gegridsolutions.com/app/DownloadFile.aspx?prod=pulsenet&type=9&file=1 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0CVE-2018-10611 – GE MDS PulseNET Account Java RMI Incorrect Privilege Assignment Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-10611
04 Jun 2018 — Java remote method invocation (RMI) input port in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior may be exploited to allow unauthenticated users to launch applications and support remote code execution through web services. El puerto de entradas Java RMI (Remote Method Invocation) en GE MDS PulseNET y MDS PulseNET Enterprise, en versiones 3.2.1 y anteriores, podría explotarse para permitir que usuarios no autenticados lancen aplicaciones y soporten la ejecución remota de código mediante... • http://www.gegridsolutions.com/app/DownloadFile.aspx?prod=pulsenet&type=9&file=1 • CWE-287: Improper Authentication •