Home / Advisories

Advisories

KLCERT-18-025: General Electric Proficy GDS XML eXternal Entity (XXE)

07 December 2018

An XXE injection vulnerability leads to path traversal inside the Proficy server. An attacker may be able to initiate an OPC UA session and retrieve an arbitrary file from the targeted system.
KLCERT-18-024: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Remote Code Execution

18 October 2018

Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker can execute arbitrary code using command string injection.
KLCERT-18-023: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Hidden Token Access

18 October 2018

Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker could gain root privileges and execute arbitrary code using a hidden API token.
KLCERT-18-022: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Sensitive Information Stored in Clear Text

18 October 2018

Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker is able to recover access tokens.
KLCERT-18-021: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Password Management Issue

18 October 2018

Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker is able to change the user’s password.
KLCERT-18-020: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Broken Access Control

18 October 2018

Broken access control in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker can escalate privileges using broken access control.
KLCERT-18-019: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: User Privilege Escalation

18 October 2018

User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software. The exploitation of this vulnerability allows remote attacker to gain higher privileges.
KLCERT-18-018: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: User Enumeration

18 October 2018

User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker can find valid users in web applications and use brute force to exploit this vulnerability to find the corresponding password.
KLCERT-18-017: DeltaV Remote Code Execution

02 October 2018

Remote code execution in Emerson AMS Device Manager. A specially crafted script may be run that allows arbitrary remote code execution.
KLCERT-18-016: Eltex ESR-200 Router Default Password Usage

17 August 2018

An attacker without authentication can login with default credentials for privileged users.