A heap-based buffer overflow caused by libcurl and wrong whitespace character interpretation in Javascript, both used in CodeMeter Runtime affecting multiple products by WAGO. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations.



An attacker with privileges can enumerate projects and usernames through an iterative process, by making a request to a specific endpoint.



The Library WagoAppRTU which is part of the Wago Telecontrol Configurator is prone to improper input validation. By sending specifically crafted MMS packets an attacker can trigger a denial-of-service condition.



Affected products are vulnerable to remote code execution via command injection in the web-based management by an attacker.



There is a misconfiguration of access rights to a configuration tool of the web-based-management for a specific user, which allows to reset passwords of other users (except root). This allows an authenticated attacker to elevate his privileges.



An attacker with administrative privileges which can access sensitive files can additionally access them in an unintended, undocumented way.



UPDATE A 26.09.2023:
Changed affected Version of e!Cockpit from < 1.11.2.0 to <= 1.11.2.0

Vulnerabilities are reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.

UPDATE B 20.11.2023:
Removed CVE-2023-4701 because it was revoked.



Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0