CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2018-25090 – Wago: Improper Neutralization of Input During Web Page Generation in multiple devices
https://notcve.org/view.php?id=CVE-2018-25090
An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. User interaction is required. This leads to a limited impact of confidentiality and integrity but no impact of availability. Un atacante remoto no autenticado puede utilizar un ataque XSS debido a una neutralización inadecuada de la entrada durante la generación de la página web. Se requiere la interacción del usuario. • https://cert.vde.com/en/advisories/VDE-2023-039 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2015-10123 – Wago: Buffer Copy without Checking Size of Input in wbm of multiple products
https://notcve.org/view.php?id=CVE-2015-10123
An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device. Un atacante remoto no autenticado podría enviar paquetes específicamente manipulados a un dispositivo afectado. Si un usuario autenticado ve esos datos en una página específica de la administración basada en web, se activará un desbordamiento del búfer para obtener acceso completo al dispositivo. • https://cert.vde.com/en/advisories/VDE-2023-039 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5188 – WAGO Improper Input Validation in IEC61850 Server / Telecontrol
https://notcve.org/view.php?id=CVE-2023-5188
The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specifically crafted packets that lead to a denial-of-service condition until restart of the affected device. MMS Interpreter de WagoAppRTU en versiones inferiores a 1.4.6.0 que utiliza WAGO Telecontrol Configurator es vulnerable a paquetes con formato incorrecto. Un atacante remoto no autenticado podría enviar paquetes específicamente manipulados que conduzcan a una condición de denegación de servicio hasta que se reinicie el dispositivo afectado. • https://cert.vde.com/en/advisories/VDE-2023-044 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-4149 – WAGO: OS Command Injection Vulnerability in Managed Switch
https://notcve.org/view.php?id=CVE-2023-4149
A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management. Una vulnerabilidad en la administración basada en web permite a un atacante remoto no autenticado inyectar comandos arbitrarios del sistema y obtener control total del sistema. Esos comandos se ejecutan con privilegios de root. • https://cert.vde.com/en/advisories/VDE-2023-037 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0CVE-2023-3379 – WAGO: Improper Privilege Management in web-based management
https://notcve.org/view.php?id=CVE-2023-3379
Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges. La administración de múltiples productos basada en web de Wago tiene una vulnerabilidad que permite a un atacante autenticado local cambiar las contraseñas de otros usuarios que no sean administradores y así escalar privilegios no root. • https://cert.vde.com/en/advisories/VDE-2023-015 • CWE-269: Improper Privilege Management •