CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0CVE-2023-3379 – WAGO: Improper Privilege Management in web-based management
https://notcve.org/view.php?id=CVE-2023-3379
20 Nov 2023 — Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges. La administración de múltiples productos basada en web de Wago tiene una vulnerabilidad que permite a un atacante autenticado local cambiar las contraseñas de otros usuarios que no sean administradores y así escalar privilegios no root. • https://cert.vde.com/en/advisories/VDE-2023-015 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 14EXPL: 0CVE-2023-4089 – WAGO: Multiple products vulnerable to local file inclusion
https://notcve.org/view.php?id=CVE-2023-4089
17 Oct 2023 — On affected Wago products an remote attacker with administrative privileges can access files to which he has already access to through an undocumented local file inclusion. This access is logged in a different log file than expected. En los productos Wago afectados, un atacante remoto con privilegios administrativos puede acceder a archivos a los que ya tiene acceso a través de una inclusión de archivo local no documentada. Este acceso se registra en un archivo de registro diferente al esperado. • https://cert.vde.com/en/advisories/VDE-2023-046 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 10.0EPSS: 1%CPEs: 28EXPL: 0CVE-2022-45140 – WAGO: Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2022-45140
27 Feb 2023 — The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 28EXPL: 0CVE-2022-45139 – WAGO: Origin validation error through CORS misconfiguration
https://notcve.org/view.php?id=CVE-2022-45139
27 Feb 2023 — A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 28EXPL: 0CVE-2022-45138 – WAGO: Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2022-45138
27 Feb 2023 — The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.4EPSS: 0%CPEs: 28EXPL: 0CVE-2022-45137 – WAGO: Reflective Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-45137
27 Feb 2023 — The configuration backend of the web-based management is vulnerable to reflected XSS (Cross-Site Scripting) attacks that targets the users browser. This leads to a limited impact of confidentiality and integrity but no impact of availability. • https://cert.vde.com/en/advisories/VDE-2022-060 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •