CVE-2023-39226 – Delta Electronics InfraSuite Device Master Exposed Dangerous Method Or Function
https://notcve.org/view.php?id=CVE-2023-39226
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute arbitrary code through a single UDP packet. En Delta Electronics InfraSuite Device Master v.1.0.7, existe una vulnerabilidad que permite a un atacante no autenticado ejecutar código arbitrario a través de un único paquete UDP. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RunScript method. The issue results from an exposed dangerous method. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01 • CWE-749: Exposed Dangerous Method or Function •
CVE-2023-46690 – Delta Electronics InfraSuite Device Master Path Traversal
https://notcve.org/view.php?id=CVE-2023-46690
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution. En Delta Electronics InfraSuite Device Master v.1.0.7, existe una vulnerabilidad que permite a un atacante escribir en cualquier archivo en cualquier ubicación del sistema de archivos, lo que podría provocar la ejecución remota de código. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is required to exploit this vulnerability. The specific flaw exists within the UploadMedia function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-35: Path Traversal: '.../ •
CVE-2023-47207 – Delta Electronics InfraSuite Device Master Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2023-47207
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges. En Delta Electronics InfraSuite Device Master v.1.0.7, existe una vulnerabilidad que permite a un atacante no autenticado ejecutar código con privilegios de administrador local. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Device-DataCollect service, which listens on TCP port 3000 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01 • CWE-502: Deserialization of Untrusted Data •
CVE-2023-47279 – Delta Electronics InfraSuite Device Master Path Traversal
https://notcve.org/view.php?id=CVE-2023-47279
In Delta Electronics InfraSuite Device Master v.1.0.7, A vulnerability exists that allows an unauthenticated attacker to disclose user information through a single UDP packet, obtain plaintext credentials, or perform NTLM relaying. En Delta Electronics InfraSuite Device Master v.1.0.7, existe una vulnerabilidad que permite a un atacante no autenticado revelar información del usuario a través de un único paquete UDP, obtener credenciales de texto plano o realizar retransmisión NTLM. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PlayWaveFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-35: Path Traversal: '.../ •
CVE-2023-34316 – Delta Electronics InfraSuite Device Master Improper Access Control
https://notcve.org/view.php?id=CVE-2023-34316
An attacker could bypass the latest Delta Electronics InfraSuite Device Master (versions prior to 1.0.7) patch, which could allow an attacker to retrieve file contents. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics InfraSuite Device Master. Authentication is required to exploit this vulnerability. The specific flaw exists within the gateway endpoint, which listens on TCP ports 80 and 443 by default. The issue results from improper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01 • CWE-284: Improper Access Control •