CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36622
https://notcve.org/view.php?id=CVE-2023-36622
05 Jul 2023 — The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter. • https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36623
https://notcve.org/view.php?id=CVE-2023-36623
05 Jul 2023 — The root password of the Loxone Miniserver Go Gen.2 before 14.2 is calculated using hard-coded secrets and the MAC address. This allows a local user to calculate the root password and escalate privileges. • https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-013.txt • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-36624
https://notcve.org/view.php?id=CVE-2023-36624
05 Jul 2023 — Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated operating system user to escalate privileges via the Sudo configuration. This allows the elevated execution of binaries without a password requirement. • https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-004.txt • CWE-862: Missing Authorization •