CVE-2018-19615
https://notcve.org/view.php?id=CVE-2018-19615
Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A remote attacker could inject arbitrary code into a targeted userâs web browser to gain access to the affected device. Rockwell Automation Allen-Bradley PowerMonitor 1000 todas las versiones. Un atacante remoto podrÃa inyectar código arbitrario en el navegador web de un usuario objetivo para obtener acceso al dispositivo afectado • http://packetstormsecurity.com/files/150600/Rockwell-Automation-Allen-Bradley-PowerMonitor-1000-XSS.html http://www.securityfocus.com/bid/106333 http://www.securityfocus.com/bid/108538 https://ics-cert.us-cert.gov/advisories/ICSA-19-050-04 https://www.exploit-db.com/exploits/45928 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19616 – Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass
https://notcve.org/view.php?id=CVE-2018-19616
An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element. Se ha descubierto un problema en Rockwell Automation Allen-Bradley PowerMonitor 1000. Un usuario autenticado puede añadir/editar/eliminar administradores debido a que el control de acceso se implementa del lado del cliente mediante un atributo deshabilitado para un elemento BUTTON. Rockwell Automation Allen-Bradley PowerMonitor 1000 suffers from an incorrect access control that can allow for authentication bypass. • https://www.exploit-db.com/exploits/45937 http://packetstormsecurity.com/files/150619/Rockwell-Automation-Allen-Bradley-PowerMonitor-1000-Authentication-Bypass.html http://www.securityfocus.com/bid/106333 http://www.securityfocus.com/bid/108538 https://ics-cert.us-cert.gov/advisories/ICSA-19-050-04 • CWE-287: Improper Authentication •