A Directory Traversal Vulnerability enables arbitrary file access in ENERGY AXC PU Web service.
An authenticated restricted user of the web frontend can access, read, write and create files throughout the file system using specially crafted URLs via the upload and download functionality of the web service.
VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable.
Multiple vulnerabilities have been discovered in CODESYS Control V3 runtime system.
For details regarding the single vulnerabilities please refer to the security advisories issued by CODESYS:
Two Vulnerabilities have been discovered in TC ROUTER 4000 series and CLOUD CLIENT 2000 series up to firmware version 4.5.7x.107.
The web administration interface is vulnerable for authenticated admin users to path traversals, which could lead to arbitrary file uploads or deletion. Unvalidated user input also enables execution of OS commands.
The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The configuration backend can in some cases be used without authentication and to write data with root privileges. Additionally, the web-based management suffers a CORS misconfiguration and allows reflected XSS (Cross-Site Scripting) attacks.
An unknown and undocumented configuration interface with limited functionality was identified on the affected devices.
A new LTS Firmware release fixes known vulnerabilities in used open-source libraries.
In addition, the following improvements have been implemented:
HMI
- Hardening against DoS attacks.
- Hardening against memory leak problems in case of network attacks.
WBM
- Umlauts in the password of the “User Manager” were not handled correctly. The password rule for upper and lower case was not followed. This could lead to unintentionally weaker passwords.
- Hardening of WBM against Cross-Site-Scripting.
User Manager
- In security notifications “SecurityToken” was always displayed as “0000000” when creating or modifying users.
- Hardening of Trust and Identity Stores.
Unquoted Windows search path vulnerability in the below mentioned Software for Windows might allow local users to gain privileges via a malicious .exe file.