Vulnerabilites related to iconics - mobilehmi
Vulnerability from fkie_nvd
Published
2022-01-21 19:15
Modified
2024-11-21 06:48
Severity ?
Summary
Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://jvn.jp/vu/JVNVU95403720/index.html | Mitigation, Third Party Advisory, VDB Entry | |
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 | Mitigation, Third Party Advisory, US Government Resource, VDB Entry | |
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/vu/JVNVU95403720/index.html | Mitigation, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 | Mitigation, Third Party Advisory, US Government Resource, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| iconics | mobilehmi | * | |
| mitsubishielectric | mc_works64 | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:mobilehmi:*:*:*:*:*:*:*:*", matchCriteriaId: "AE5EB5D9-0582-4C46-8D3C-34B8AE1E24BB", versionEndIncluding: "10.96.2", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*", matchCriteriaId: "D31E1BFD-8194-4BA1-998B-BC4005454C15", versionEndExcluding: "10.95.210.01", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL.", }, { lang: "es", value: "Una vulnerabilidad de tipo Cross-site Scripting en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores, y en ICONICS MobileHMI versiones 10.96.2 y anteriores, permite a un atacante remoto no autenticado conseguir información de autenticación de un MC Works64 o MobileHMI y llevar a cabo cualquier operación usando la información de autenticación adquirida, inyectando un script malicioso en la URL de una pantalla de monitorización entregada desde el servidor MC Works64 o el servidor MobileHMI a una aplicación para dispositivos móviles y llevando a un usuario legítimo a acceder a esta URL", }, ], id: "CVE-2022-23127", lastModified: "2024-11-21T06:48:03.273", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-21T19:15:09.913", references: [ { source: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", tags: [ "Mitigation", "Third Party Advisory", "VDB Entry", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { source: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", tags: [ "Mitigation", "Third Party Advisory", "US Government Resource", "VDB Entry", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { source: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", "VDB Entry", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", "US Government Resource", "VDB Entry", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", }, ], sourceIdentifier: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-16 22:15
Modified
2024-11-21 04:59
Severity ?
Summary
A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C | ||
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitsubishielectric | mc_works | * | |
| mitsubishielectric | mc_works32 | 9.50.255.02 | |
| iconics | energy_analytix | - | |
| iconics | facility_analytix | - | |
| iconics | genesis64 | - | |
| iconics | hyper_historian | - | |
| iconics | mobilehmi | - | |
| iconics | quality_analytix | - | |
| iconics | smart_energy_analytix | - | |
| iconics | bizviz | - | |
| iconics | genesis32 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mitsubishielectric:mc_works:*:*:*:*:*:*:*:*", matchCriteriaId: "C9B1F646-0D54-4B3A-B39A-A45E1A0615EB", versionEndIncluding: "10.95.208.31", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works32:9.50.255.02:*:*:*:*:*:*:*", matchCriteriaId: "A68D91E4-0C65-45F0-965E-A6AAE0E2F09F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "DD143148-B191-4D8E-9C28-09D4AC5D192C", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:facility_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "BE3C5226-94D4-4826-9B76-72626081DF46", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis64:-:*:*:*:*:*:*:*", matchCriteriaId: "17E644D8-AB8E-4E3C-AE4B-64D3BBCC30BF", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:hyper_historian:-:*:*:*:*:*:*:*", matchCriteriaId: "78FF2A71-4918-491E-A5D8-DEB9E17FA6E4", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:mobilehmi:-:*:*:*:*:*:*:*", matchCriteriaId: "16745C56-A59A-4C38-92E1-FC5C63220989", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:quality_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "717A4B7B-2A42-4A9C-961F-1EA5E62FB188", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:smart_energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "5082C435-FCCD-4CF6-891E-73F846A6FB40", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:bizviz:-:*:*:*:*:*:*:*", matchCriteriaId: "CF628CB2-BCA9-4E69-A9CB-846577F98DA1", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis32:-:*:*:*:*:*:*:*", matchCriteriaId: "771DB32A-CD85-4638-B90E-25D9B4951DE5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.", }, { lang: "es", value: "Un paquete de comunicación especialmente diseñado enviado a los dispositivos afectados podría permitir una ejecución de código remota y una condición de denegación de servicio debido a una vulnerabilidad de deserialización. Este problema afecta: Mitsubishi Electric MC Works64 versión 4.02C (10.95.208.31) y anteriores, todas las versiones; Mitsubishi Electric MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión 10.96 y anteriores; ICONICS GenBroker32 versión 9.5 y anteriores", }, ], id: "CVE-2020-12007", lastModified: "2024-11-21T04:59:06.190", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-16T22:15:11.337", references: [ { source: "ics-cert@hq.dhs.gov", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C", }, { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], sourceIdentifier: "ics-cert@hq.dhs.gov", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "ics-cert@hq.dhs.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-16 20:15
Modified
2024-11-21 04:59
Severity ?
Summary
A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitsubishielectric | mc_works | * | |
| mitsubishielectric | mc_works32 | 9.50.255.02 | |
| iconics | energy_analytix | - | |
| iconics | facility_analytix | - | |
| iconics | genesis64 | - | |
| iconics | hyper_historian | - | |
| iconics | mobilehmi | - | |
| iconics | quality_analytix | - | |
| iconics | smart_energy_analytix | - | |
| iconics | bizviz | - | |
| iconics | genesis32 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mitsubishielectric:mc_works:*:*:*:*:*:*:*:*", matchCriteriaId: "C9B1F646-0D54-4B3A-B39A-A45E1A0615EB", versionEndIncluding: "10.95.208.31", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works32:9.50.255.02:*:*:*:*:*:*:*", matchCriteriaId: "A68D91E4-0C65-45F0-965E-A6AAE0E2F09F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "DD143148-B191-4D8E-9C28-09D4AC5D192C", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:facility_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "BE3C5226-94D4-4826-9B76-72626081DF46", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis64:-:*:*:*:*:*:*:*", matchCriteriaId: "17E644D8-AB8E-4E3C-AE4B-64D3BBCC30BF", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:hyper_historian:-:*:*:*:*:*:*:*", matchCriteriaId: "78FF2A71-4918-491E-A5D8-DEB9E17FA6E4", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:mobilehmi:-:*:*:*:*:*:*:*", matchCriteriaId: "16745C56-A59A-4C38-92E1-FC5C63220989", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:quality_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "717A4B7B-2A42-4A9C-961F-1EA5E62FB188", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:smart_energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "5082C435-FCCD-4CF6-891E-73F846A6FB40", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:bizviz:-:*:*:*:*:*:*:*", matchCriteriaId: "CF628CB2-BCA9-4E69-A9CB-846577F98DA1", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis32:-:*:*:*:*:*:*:*", matchCriteriaId: "771DB32A-CD85-4638-B90E-25D9B4951DE5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.", }, { lang: "es", value: "Un paquete de comunicación especialmente diseñado enviado al dispositivo afectado podría causar una condición de denegación de servicio debido a una vulnerabilidad de deserialización. Esto afecta: Mitsubishi Electric MC Works64 versión 4.02C (10.95.208.31) y anteriores, todas las versiones; Mitsubishi Electric MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión v10.96 y anteriores; ICONICS GenBroker32 versión v9.5 y anteriores", }, ], id: "CVE-2020-12009", lastModified: "2024-11-21T04:59:06.433", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-16T20:15:11.057", references: [ { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], sourceIdentifier: "ics-cert@hq.dhs.gov", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "ics-cert@hq.dhs.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-16 19:15
Modified
2024-11-21 04:59
Severity ?
Summary
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitsubishielectric | mc_works | * | |
| mitsubishielectric | mc_works32 | 9.50.255.02 | |
| iconics | energy_analytix | - | |
| iconics | facility_analytix | - | |
| iconics | genesis64 | - | |
| iconics | hyper_historian | - | |
| iconics | mobilehmi | - | |
| iconics | quality_analytix | - | |
| iconics | smart_energy_analytix | - | |
| iconics | bizviz | - | |
| iconics | genesis32 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mitsubishielectric:mc_works:*:*:*:*:*:*:*:*", matchCriteriaId: "C9B1F646-0D54-4B3A-B39A-A45E1A0615EB", versionEndIncluding: "10.95.208.31", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works32:9.50.255.02:*:*:*:*:*:*:*", matchCriteriaId: "A68D91E4-0C65-45F0-965E-A6AAE0E2F09F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "DD143148-B191-4D8E-9C28-09D4AC5D192C", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:facility_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "BE3C5226-94D4-4826-9B76-72626081DF46", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis64:-:*:*:*:*:*:*:*", matchCriteriaId: "17E644D8-AB8E-4E3C-AE4B-64D3BBCC30BF", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:hyper_historian:-:*:*:*:*:*:*:*", matchCriteriaId: "78FF2A71-4918-491E-A5D8-DEB9E17FA6E4", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:mobilehmi:-:*:*:*:*:*:*:*", matchCriteriaId: "16745C56-A59A-4C38-92E1-FC5C63220989", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:quality_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "717A4B7B-2A42-4A9C-961F-1EA5E62FB188", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:smart_energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "5082C435-FCCD-4CF6-891E-73F846A6FB40", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:bizviz:-:*:*:*:*:*:*:*", matchCriteriaId: "CF628CB2-BCA9-4E69-A9CB-846577F98DA1", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis32:-:*:*:*:*:*:*:*", matchCriteriaId: "771DB32A-CD85-4638-B90E-25D9B4951DE5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior.", }, { lang: "es", value: "Un paquete de comunicación especialmente diseñado enviado a los sistemas afectados podría causar una condición de denegación de servicio o permitir una ejecución de código remota. Este problema afecta: Mitsubishi Electric MC Works64 versión 4.02C (10.95.208.31) y anteriores, todas las versiones; MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión 10.96 y anteriores; GenBroker32 versión 9.5 y anteriores", }, ], id: "CVE-2020-12011", lastModified: "2024-11-21T04:59:06.677", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-16T19:15:11.830", references: [ { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], sourceIdentifier: "ics-cert@hq.dhs.gov", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-787", }, ], source: "ics-cert@hq.dhs.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-787", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-16 22:15
Modified
2024-11-21 04:59
Severity ?
Summary
A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitsubishielectric | mc_works32 | 9.50.255.02 | |
| mitsubishielectric | mc_works64 | * | |
| iconics | energy_analytix | - | |
| iconics | facility_analytix | - | |
| iconics | genesis64 | - | |
| iconics | hyper_historian | - | |
| iconics | mobilehmi | - | |
| iconics | quality_analytix | - | |
| iconics | smart_energy_analytix | - | |
| iconics | bizviz | - | |
| iconics | genesis32 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mitsubishielectric:mc_works32:9.50.255.02:*:*:*:*:*:*:*", matchCriteriaId: "A68D91E4-0C65-45F0-965E-A6AAE0E2F09F", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*", matchCriteriaId: "9DFE4C50-FB00-4449-8A7F-D524109A1F1D", versionEndIncluding: "10.95.208.31", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "DD143148-B191-4D8E-9C28-09D4AC5D192C", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:facility_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "BE3C5226-94D4-4826-9B76-72626081DF46", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis64:-:*:*:*:*:*:*:*", matchCriteriaId: "17E644D8-AB8E-4E3C-AE4B-64D3BBCC30BF", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:hyper_historian:-:*:*:*:*:*:*:*", matchCriteriaId: "78FF2A71-4918-491E-A5D8-DEB9E17FA6E4", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:mobilehmi:-:*:*:*:*:*:*:*", matchCriteriaId: "16745C56-A59A-4C38-92E1-FC5C63220989", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:quality_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "717A4B7B-2A42-4A9C-961F-1EA5E62FB188", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:smart_energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "5082C435-FCCD-4CF6-891E-73F846A6FB40", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:bizviz:-:*:*:*:*:*:*:*", matchCriteriaId: "CF628CB2-BCA9-4E69-A9CB-846577F98DA1", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis32:-:*:*:*:*:*:*:*", matchCriteriaId: "771DB32A-CD85-4638-B90E-25D9B4951DE5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.", }, { lang: "es", value: "Un cliente WCF especialmente diseñado que interactúa con el puede permitir la ejecución de determinados comandos SQL arbitrarios remotamente. Esto afecta: Mitsubishi Electric MC Works64 Versión 4.02C (10.95.208.31) y anteriores, todas las versiones; Mitsubishi Electric MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión v10.96 y anteriores; ICONICS GenBroker32 versión v9.5 y anteriores", }, ], id: "CVE-2020-12013", lastModified: "2024-11-21T04:59:06.937", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-16T22:15:11.417", references: [ { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], sourceIdentifier: "ics-cert@hq.dhs.gov", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "ics-cert@hq.dhs.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-21 19:15
Modified
2024-11-21 06:48
Severity ?
Summary
Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://jvn.jp/vu/JVNVU95403720/index.html | Mitigation, Third Party Advisory, VDB Entry | |
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 | Mitigation, Third Party Advisory, US Government Resource, VDB Entry | |
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/vu/JVNVU95403720/index.html | Mitigation, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 | Mitigation, Third Party Advisory, US Government Resource, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| iconics | analytix | * | |
| iconics | genesis64 | * | |
| iconics | hyper_historian | * | |
| iconics | mobilehmi | * | |
| mitsubishielectric | mc_works64 | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:analytix:*:*:*:*:*:*:*:*", matchCriteriaId: "9D4A6919-8FA2-4D81-991F-1960EA3F0DE1", versionEndIncluding: "10.97", versionStartIncluding: "10.95.3", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*", matchCriteriaId: "1B337BB0-925C-4B18-B4FD-CF786F47642F", versionEndIncluding: "10.97", versionStartIncluding: "10.95.3", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:hyper_historian:*:*:*:*:*:*:*:*", matchCriteriaId: "170EE68A-2E3C-441B-98E3-7CFD238E80D1", versionEndIncluding: "10.97", versionStartIncluding: "10.95.3", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:mobilehmi:*:*:*:*:*:*:*:*", matchCriteriaId: "7C0D55FF-E640-48D1-8B0D-2FB036E897EB", versionEndIncluding: "10.97", versionStartIncluding: "10.95.3", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*", matchCriteriaId: "AD31D401-1AD5-4D75-83B8-648AA794E557", versionEndIncluding: "10.95.210.01", versionStartIncluding: "10.95.201.23", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products.", }, { lang: "es", value: "Una vulnerabilidad \"Incomplete List of Disallowed Inputs\" en Mitsubishi Electric MC Works64 versiones 4.00A (10.95.201.23) a 4.04E (10.95.210.01), ICONICS GENESIS64 versiones 10.95.3 a 10.97, ICONICS Hyper Historian versiones 10.95.3 a 10.97, ICONICS AnalytiX versiones 10.95.3 a 10.97 e ICONICS MobileHMI versiones 10. 95.3 a 10.97 permite a un atacante remoto no autenticado omitir la autenticación de MC Works64, GENESIS64, Hyper Historian, AnalytiX y MobileHMI, y conseguir acceso no autorizado a los productos, mediante el envío de paquetes WebSocket especialmente diseñados al servidor FrameWorX, una de las funciones de los productos", }, ], id: "CVE-2022-23128", lastModified: "2024-11-21T06:48:03.407", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-21T19:15:09.977", references: [ { source: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", tags: [ "Mitigation", "Third Party Advisory", "VDB Entry", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { source: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", tags: [ "Mitigation", "Third Party Advisory", "US Government Resource", "VDB Entry", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { source: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", "VDB Entry", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", "US Government Resource", "VDB Entry", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", }, ], sourceIdentifier: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-16 22:15
Modified
2024-11-21 04:59
Severity ?
Summary
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-20-170-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-20-170-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitsubishielectric | mc_works | * | |
| mitsubishielectric | mc_works32 | 9.50.255.02 | |
| iconics | energy_analytix | - | |
| iconics | facility_analytix | - | |
| iconics | genesis64 | - | |
| iconics | hyper_historian | - | |
| iconics | mobilehmi | - | |
| iconics | quality_analytix | - | |
| iconics | smart_energy_analytix | - | |
| iconics | bizviz | - | |
| iconics | genesis32 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mitsubishielectric:mc_works:*:*:*:*:*:*:*:*", matchCriteriaId: "C9B1F646-0D54-4B3A-B39A-A45E1A0615EB", versionEndIncluding: "10.95.208.31", vulnerable: true, }, { criteria: "cpe:2.3:a:mitsubishielectric:mc_works32:9.50.255.02:*:*:*:*:*:*:*", matchCriteriaId: "A68D91E4-0C65-45F0-965E-A6AAE0E2F09F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "DD143148-B191-4D8E-9C28-09D4AC5D192C", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:facility_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "BE3C5226-94D4-4826-9B76-72626081DF46", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis64:-:*:*:*:*:*:*:*", matchCriteriaId: "17E644D8-AB8E-4E3C-AE4B-64D3BBCC30BF", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:hyper_historian:-:*:*:*:*:*:*:*", matchCriteriaId: "78FF2A71-4918-491E-A5D8-DEB9E17FA6E4", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:mobilehmi:-:*:*:*:*:*:*:*", matchCriteriaId: "16745C56-A59A-4C38-92E1-FC5C63220989", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:quality_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "717A4B7B-2A42-4A9C-961F-1EA5E62FB188", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:smart_energy_analytix:-:*:*:*:*:*:*:*", matchCriteriaId: "5082C435-FCCD-4CF6-891E-73F846A6FB40", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:iconics:bizviz:-:*:*:*:*:*:*:*", matchCriteriaId: "CF628CB2-BCA9-4E69-A9CB-846577F98DA1", vulnerable: true, }, { criteria: "cpe:2.3:a:iconics:genesis32:-:*:*:*:*:*:*:*", matchCriteriaId: "771DB32A-CD85-4638-B90E-25D9B4951DE5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.", }, { lang: "es", value: "Un paquete de comunicación especialmente diseñado enviado a los sistemas afectados podría causar una condición de denegación de servicio debido a una deserialización inapropiada. Este problema afecta: Mitsubishi Electric MC Works64 versión 4.02C (10.95.208.31) y anteriores, todas las versiones; Mitsubishi Electric MC Works32 versión 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server versión v10.96 y anteriores; ICONICS GenBroker32 versión 9.5 y anteriores", }, ], id: "CVE-2020-12015", lastModified: "2024-11-21T04:59:07.153", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-16T22:15:11.493", references: [ { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { source: "ics-cert@hq.dhs.gov", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, ], sourceIdentifier: "ics-cert@hq.dhs.gov", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "ics-cert@hq.dhs.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2020-12011
Vulnerability from cvelistv5
Published
2020-07-16 18:53
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior.
References
| ▼ | URL | Tags |
|---|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | x_refsource_MISC | |
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | Mitsubishi Electric MC Works64 |
Version: Version 4.02C (10.95.208.31) and earlier Version: all versions |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.125Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Mitsubishi Electric MC Works64", vendor: "n/a", versions: [ { status: "affected", version: "Version 4.02C (10.95.208.31) and earlier", }, { status: "affected", version: "all versions", }, ], }, { product: "MC Works32", vendor: "n/a", versions: [ { status: "affected", version: "Version 3.00A (9.50.255.02)", }, ], }, { product: "ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server", vendor: "n/a", versions: [ { status: "affected", version: "v10.96 and prior", }, ], }, { product: "GenBroker32", vendor: "n/a", versions: [ { status: "affected", version: "v9.5 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-787", description: "OUT-OF-BOUNDS WRITE CWE-787", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-16T18:53:05", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { tags: [ "x_refsource_MISC", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "ics-cert@hq.dhs.gov", ID: "CVE-2020-12011", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Mitsubishi Electric MC Works64", version: { version_data: [ { version_value: "Version 4.02C (10.95.208.31) and earlier", }, { version_value: "all versions", }, ], }, }, { product_name: "MC Works32", version: { version_data: [ { version_value: "Version 3.00A (9.50.255.02)", }, ], }, }, { product_name: "ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server", version: { version_data: [ { version_value: "v10.96 and prior", }, ], }, }, { product_name: "GenBroker32", version: { version_data: [ { version_value: "v9.5 and prior", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "OUT-OF-BOUNDS WRITE CWE-787", }, ], }, ], }, references: { reference_data: [ { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", refsource: "MISC", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", refsource: "MISC", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2020-12011", datePublished: "2020-07-16T18:53:05", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-08-04T11:48:57.125Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-12015
Vulnerability from cvelistv5
Published
2020-07-16 21:30
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.us-cert.gov/ics/advisories/icsa-20-170-03 | x_refsource_CONFIRM | |
| https://www.us-cert.gov/ics/advisories/icsa-20-170-02 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Mitsubishi Electric | MC Works64 |
Version: version 4.02C (10.95.208.31) and earlier Version: all versions |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.726Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "MC Works64", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "version 4.02C (10.95.208.31) and earlier", }, { status: "affected", version: "all versions", }, ], }, { product: "MC Works32", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "version 3.00A (9.50.255.02)", }, ], }, { product: "GenBroker64, Platform Services, Workbench, FrameWorX Server", vendor: "ICONICS", versions: [ { status: "affected", version: "version 10.96 and prior", }, ], }, { product: "GenBroker32", vendor: "ICONICS", versions: [ { status: "affected", version: "version 9.5 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "DESERIALIZATION OF UNTRUSTED DATA CWE-502", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-16T21:30:43", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "ics-cert@hq.dhs.gov", ID: "CVE-2020-12015", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MC Works64", version: { version_data: [ { version_value: "version 4.02C (10.95.208.31) and earlier", }, { version_value: "all versions", }, ], }, }, { product_name: "MC Works32", version: { version_data: [ { version_value: "version 3.00A (9.50.255.02)", }, ], }, }, ], }, vendor_name: "Mitsubishi Electric", }, { product: { product_data: [ { product_name: "GenBroker64, Platform Services, Workbench, FrameWorX Server", version: { version_data: [ { version_value: "version 10.96 and prior", }, ], }, }, { product_name: "GenBroker32", version: { version_data: [ { version_value: "version 9.5 and prior", }, ], }, }, ], }, vendor_name: "ICONICS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "DESERIALIZATION OF UNTRUSTED DATA CWE-502", }, ], }, ], }, references: { reference_data: [ { name: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", refsource: "CONFIRM", url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { name: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", refsource: "CONFIRM", url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2020-12015", datePublished: "2020-07-16T21:30:43", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-08-04T11:48:57.726Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-23128
Vulnerability from cvelistv5
Published
2022-01-21 18:17
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jvn.jp/vu/JVNVU95403720/index.html | x_refsource_MISC | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 | x_refsource_MISC | |
| https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian; ICONICS AnalytiX; ICONICS MobileHMI |
Version: Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01) Version: ICONICS GENESIS64 versions 10.95.3 to 10.97 Version: ICONICS Hyper Historian versions 10.95.3 to 10.97 Version: ICONICS AnalytiX versions 10.95.3 to 10.97 Version: ICONICS MobileHMI versions 10.95.3 to 10.97 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:36:19.863Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian; ICONICS AnalytiX; ICONICS MobileHMI", vendor: "n/a", versions: [ { status: "affected", version: "Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01)", }, { status: "affected", version: "ICONICS GENESIS64 versions 10.95.3 to 10.97", }, { status: "affected", version: "ICONICS Hyper Historian versions 10.95.3 to 10.97", }, { status: "affected", version: "ICONICS AnalytiX versions 10.95.3 to 10.97", }, { status: "affected", version: "ICONICS MobileHMI versions 10.95.3 to 10.97", }, ], }, ], descriptions: [ { lang: "en", value: "Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products.", }, ], problemTypes: [ { descriptions: [ { description: "Incomplete List of Disallowed Inputs", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-01-21T18:17:33", orgId: "e0f77b61-78fd-4786-b3fb-1ee347a748ad", shortName: "Mitsubishi", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { tags: [ "x_refsource_MISC", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", ID: "CVE-2022-23128", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian; ICONICS AnalytiX; ICONICS MobileHMI", version: { version_data: [ { version_value: "Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01)", }, { version_value: "ICONICS GENESIS64 versions 10.95.3 to 10.97", }, { version_value: "ICONICS Hyper Historian versions 10.95.3 to 10.97", }, { version_value: "ICONICS AnalytiX versions 10.95.3 to 10.97", }, { version_value: "ICONICS MobileHMI versions 10.95.3 to 10.97", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Incomplete List of Disallowed Inputs", }, ], }, ], }, references: { reference_data: [ { name: "https://jvn.jp/vu/JVNVU95403720/index.html", refsource: "MISC", url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { name: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", refsource: "MISC", url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { name: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", refsource: "MISC", url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e0f77b61-78fd-4786-b3fb-1ee347a748ad", assignerShortName: "Mitsubishi", cveId: "CVE-2022-23128", datePublished: "2022-01-21T18:17:33", dateReserved: "2022-01-11T00:00:00", dateUpdated: "2024-08-03T03:36:19.863Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-12009
Vulnerability from cvelistv5
Published
2020-07-16 19:39
Modified
2024-09-16 23:00
Severity ?
EPSS score ?
Summary
A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.
References
| ▼ | URL | Tags |
|---|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | x_refsource_CONFIRM | |
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Mitsubishi Electric | MC Works64 |
Version: 4.02C (10.95.208.31) and earlier Version: all versions |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.050Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "MC Works64", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "4.02C (10.95.208.31) and earlier", }, { status: "affected", version: "all versions", }, ], }, { product: "MC Works32", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "Version 3.00A (9.50.255.02)", }, ], }, { product: "GenBroker64, Platform Services, Workbench, FrameWorX Server", vendor: "ICONICS", versions: [ { status: "affected", version: "v10.96 and prior", }, ], }, { product: "GenBroker32", vendor: "ICONICS", versions: [ { status: "affected", version: "v9.5 and prior", }, ], }, ], datePublic: "2020-06-18T00:00:00", descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "DESERIALIZATION OF UNTRUSTED DATA CWE-502", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-16T19:39:24", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "ics-cert@hq.dhs.gov", DATE_PUBLIC: "2020-06-18T15:00:00.000Z", ID: "CVE-2020-12009", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MC Works64", version: { version_data: [ { version_value: "4.02C (10.95.208.31) and earlier", }, { version_value: "all versions", }, ], }, }, { product_name: "MC Works32", version: { version_data: [ { version_value: "Version 3.00A (9.50.255.02)", }, ], }, }, ], }, vendor_name: "Mitsubishi Electric", }, { product: { product_data: [ { product_name: "GenBroker64, Platform Services, Workbench, FrameWorX Server", version: { version_data: [ { version_value: "v10.96 and prior", }, ], }, }, { product_name: "GenBroker32", version: { version_data: [ { version_value: "v9.5 and prior", }, ], }, }, ], }, vendor_name: "ICONICS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "DESERIALIZATION OF UNTRUSTED DATA CWE-502", }, ], }, ], }, references: { reference_data: [ { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2020-12009", datePublished: "2020-07-16T19:39:24.072953Z", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-09-16T23:00:29.508Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-12007
Vulnerability from cvelistv5
Published
2020-07-16 21:49
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.
References
| ▼ | URL | Tags |
|---|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | x_refsource_CONFIRM | |
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Mitsubishi Electric | MC Works64 |
Version: Version 4.02C (10.95.208.31) and earlier Version: all versions |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.519Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "MC Works64", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "Version 4.02C (10.95.208.31) and earlier", }, { status: "affected", version: "all versions", }, ], }, { product: "MC Works32", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "Version 3.00A (9.50.255.02)", }, ], }, { product: "GenBroker64, Platform Services, Workbench, FrameWorX Server", vendor: "ICONICS", versions: [ { status: "affected", version: "v10.96 and prior", }, ], }, { product: "GenBroker32", vendor: "ICONICS", versions: [ { status: "affected", version: "v9.5 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "DESERIALIZATION OF UNTRUSTED DATA CWE-502", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-16T21:49:12", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2C", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "ics-cert@hq.dhs.gov", ID: "CVE-2020-12007", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MC Works64", version: { version_data: [ { version_value: "Version 4.02C (10.95.208.31) and earlier", }, { version_value: "all versions", }, ], }, }, { product_name: "MC Works32", version: { version_data: [ { version_value: "Version 3.00A (9.50.255.02)", }, ], }, }, ], }, vendor_name: "Mitsubishi Electric", }, { product: { product_data: [ { product_name: "GenBroker64, Platform Services, Workbench, FrameWorX Server", version: { version_data: [ { version_value: "v10.96 and prior", }, ], }, }, { product_name: "GenBroker32", version: { version_data: [ { version_value: "v9.5 and prior", }, ], }, }, ], }, vendor_name: "ICONICS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "DESERIALIZATION OF UNTRUSTED DATA CWE-502", }, ], }, ], }, references: { reference_data: [ { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02,", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02,", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2020-12007", datePublished: "2020-07-16T21:49:12", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-08-04T11:48:57.519Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-23127
Vulnerability from cvelistv5
Published
2022-01-21 18:17
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jvn.jp/vu/JVNVU95403720/index.html | x_refsource_MISC | |
| https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf | x_refsource_MISC | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Mitsubishi Electric MC Works64; ICONICS MobileHMI |
Version: Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior Version: ICONICS MobileHMI versions 10.96.2 and prior |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:36:20.098Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Mitsubishi Electric MC Works64; ICONICS MobileHMI", vendor: "n/a", versions: [ { status: "affected", version: "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior", }, { status: "affected", version: "ICONICS MobileHMI versions 10.96.2 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL.", }, ], problemTypes: [ { descriptions: [ { description: "Cross-site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-01-21T18:17:32", orgId: "e0f77b61-78fd-4786-b3fb-1ee347a748ad", shortName: "Mitsubishi", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", }, { tags: [ "x_refsource_MISC", ], url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", ID: "CVE-2022-23127", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Mitsubishi Electric MC Works64; ICONICS MobileHMI", version: { version_data: [ { version_value: "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior", }, { version_value: "ICONICS MobileHMI versions 10.96.2 and prior", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross-site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "https://jvn.jp/vu/JVNVU95403720/index.html", refsource: "MISC", url: "https://jvn.jp/vu/JVNVU95403720/index.html", }, { name: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", refsource: "MISC", url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", }, { name: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", refsource: "MISC", url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e0f77b61-78fd-4786-b3fb-1ee347a748ad", assignerShortName: "Mitsubishi", cveId: "CVE-2022-23127", datePublished: "2022-01-21T18:17:32", dateReserved: "2022-01-11T00:00:00", dateUpdated: "2024-08-03T03:36:20.098Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-12013
Vulnerability from cvelistv5
Published
2020-07-16 21:14
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.
References
| ▼ | URL | Tags |
|---|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02 | x_refsource_CONFIRM | |
| https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Mitsubishi Electric | MC Works64 |
Version: Version 4.02C (10.95.208.31) and earlier Version: all versions |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:48:57.506Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "MC Works64", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "Version 4.02C (10.95.208.31) and earlier", }, { status: "affected", version: "all versions", }, ], }, { product: "MC Works32", vendor: "Mitsubishi Electric", versions: [ { status: "affected", version: "Version 3.00A (9.50.255.02)", }, ], }, { product: "GenBroker64, Platform Services, Workbench, FrameWorX Server", vendor: "ICONICS", versions: [ { status: "affected", version: "v10.96 and prior", }, ], }, { product: "GenBroker32", vendor: "ICONICS", versions: [ { status: "affected", version: "v9.5 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-16T21:14:34", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "ics-cert@hq.dhs.gov", ID: "CVE-2020-12013", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MC Works64", version: { version_data: [ { version_value: "Version 4.02C (10.95.208.31) and earlier", }, { version_value: "all versions", }, ], }, }, { product_name: "MC Works32", version: { version_data: [ { version_value: "Version 3.00A (9.50.255.02)", }, ], }, }, ], }, vendor_name: "Mitsubishi Electric", }, { product: { product_data: [ { product_name: "GenBroker64, Platform Services, Workbench, FrameWorX Server", version: { version_data: [ { version_value: "v10.96 and prior", }, ], }, }, { product_name: "GenBroker32", version: { version_data: [ { version_value: "v9.5 and prior", }, ], }, }, ], }, vendor_name: "ICONICS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94", }, ], }, ], }, references: { reference_data: [ { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { name: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", refsource: "CONFIRM", url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2020-12013", datePublished: "2020-07-16T21:14:34", dateReserved: "2020-04-21T00:00:00", dateUpdated: "2024-08-04T11:48:57.506Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
var-202007-0206
Vulnerability from variot
A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of PKGX files. When parsing the WbPackAndGoSettings element, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Show details on source website{ affected_products: { _id: null, data: [ { _id: null, model: "electric mc works64 <=4.02c", scope: "eq", trust: 1, vendor: "mitsubishi", version: "(10.95.208.31)", }, { _id: null, model: "energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "mc works", scope: "lte", trust: 1, vendor: "mitsubishielectric", version: "10.95.208.31", }, { _id: null, model: "mobilehmi", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "bizviz", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "facility analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "mc works32", scope: "eq", trust: 1, vendor: "mitsubishielectric", version: "9.50.255.02", }, { _id: null, model: "genesis64", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "genesis32", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "quality analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "hyper historian", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "smart energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "genesis64", scope: null, trust: 0.7, vendor: "iconics", version: null, }, { _id: null, model: "electric mc works32 3.00a", scope: "eq", trust: 0.6, vendor: "mitsubishi", version: "(9.50.255.02)", }, { _id: null, model: "electric mc works32 3.00a", scope: "eq", trust: 0.4, vendor: "mitsubishi", version: "(9.50.255.02)*", }, ], sources: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, { db: "ZDI", id: "ZDI-20-777", }, { db: "CNVD", id: "CNVD-2020-34371", }, { db: "NVD", id: "CVE-2020-12009", }, ], }, credits: { _id: null, data: "Team FLASHBACK: Pedro Ribeiro (pedrib@gmail.com|@pedrib1337) and Radek Domanski (@RabbitPro)", sources: [ { db: "ZDI", id: "ZDI-20-777", }, ], trust: 0.7, }, cve: "CVE-2020-12009", cvss: { _id: null, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2020-12009", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CNVD-2020-34371", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.9 [IVD]", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.9 [IVD]", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2020-12009", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, { attackComplexity: "LOW", attackVector: "LOCAL", author: "ZDI", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", exploitabilityScore: 1.8, id: "CVE-2020-12009", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 0.7, userInteraction: "REQUIRED", vectorString: "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-12009", trust: 1, value: "HIGH", }, { author: "ZDI", id: "CVE-2020-12009", trust: 0.7, value: "HIGH", }, { author: "CNVD", id: "CNVD-2020-34371", trust: 0.6, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202006-1208", trust: 0.6, value: "HIGH", }, { author: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", trust: 0.2, value: "HIGH", }, { author: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", trust: 0.2, value: "HIGH", }, ], }, ], sources: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, { db: "ZDI", id: "ZDI-20-777", }, { db: "CNVD", id: "CNVD-2020-34371", }, { db: "CNNVD", id: "CNNVD-202006-1208", }, { db: "NVD", id: "CVE-2020-12009", }, ], }, description: { _id: null, data: "A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of PKGX files. When parsing the WbPackAndGoSettings element, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided", sources: [ { db: "NVD", id: "CVE-2020-12009", }, { db: "ZDI", id: "ZDI-20-777", }, { db: "CNVD", id: "CNVD-2020-34371", }, { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, ], trust: 2.43, }, external_ids: { _id: null, data: [ { db: "NVD", id: "CVE-2020-12009", trust: 3.3, }, { db: "ICS CERT", id: "ICSA-20-170-02", trust: 2.2, }, { db: "ICS CERT", id: "ICSA-20-170-03", trust: 1.6, }, { db: "ZDI", id: "ZDI-20-777", trust: 1.3, }, { db: "CNVD", id: "CNVD-2020-34371", trust: 1, }, { db: "CNNVD", id: "CNNVD-202006-1208", trust: 1, }, { db: "ZDI_CAN", id: "ZDI-CAN-10272", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2020.2147", trust: 0.6, }, { db: "IVD", id: "D97CB3A1-CB5E-4BB3-B9B8-62A73DD1F132", trust: 0.2, }, { db: "IVD", id: "2AEA7BB9-A918-4CCF-A751-B9794DF3809B", trust: 0.2, }, ], sources: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, { db: "ZDI", id: "ZDI-20-777", }, { db: "CNVD", id: "CNVD-2020-34371", }, { db: "CNNVD", id: "CNNVD-202006-1208", }, { db: "NVD", id: "CVE-2020-12009", }, ], }, id: "VAR-202007-0206", iot: { _id: null, data: true, sources: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, { db: "CNVD", id: "CNVD-2020-34371", }, ], trust: 1.78927874, }, iot_taxonomy: { _id: null, data: [ { category: [ "ICS", ], sub_category: null, trust: 1, }, ], sources: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, { db: "CNVD", id: "CNVD-2020-34371", }, ], }, last_update_date: "2024-11-23T22:11:26.751000Z", patch: { _id: null, data: [ { title: "ICONICS has issued an update to correct this vulnerability.", trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { title: "Patch for Mitsubishi Electric MC Works64 and MC Works32 Code Issue Vulnerability (CNVD-2020-34371)", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/222935", }, ], sources: [ { db: "ZDI", id: "ZDI-20-777", }, { db: "CNVD", id: "CNVD-2020-34371", }, ], }, problemtype_data: { _id: null, data: [ { problemtype: "CWE-502", trust: 1, }, ], sources: [ { db: "NVD", id: "CVE-2020-12009", }, ], }, references: { _id: null, data: [ { trust: 1.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { trust: 1.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { trust: 1.2, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { trust: 0.6, url: "https://www.zerodayinitiative.com/advisories/zdi-20-777/", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/iconics-genesis32-genesis64-multiple-vulnerabilities-32668", }, { trust: 0.6, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12009", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2147/", }, ], sources: [ { db: "ZDI", id: "ZDI-20-777", }, { db: "CNVD", id: "CNVD-2020-34371", }, { db: "CNNVD", id: "CNNVD-202006-1208", }, { db: "NVD", id: "CVE-2020-12009", }, ], }, sources: { _id: null, data: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", ident: null, }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", ident: null, }, { db: "ZDI", id: "ZDI-20-777", ident: null, }, { db: "CNVD", id: "CNVD-2020-34371", ident: null, }, { db: "CNNVD", id: "CNNVD-202006-1208", ident: null, }, { db: "NVD", id: "CVE-2020-12009", ident: null, }, ], }, sources_release_date: { _id: null, data: [ { date: "2020-06-18T00:00:00", db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", ident: null, }, { date: "2020-06-18T00:00:00", db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", ident: null, }, { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-777", ident: null, }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34371", ident: null, }, { date: "2020-06-18T00:00:00", db: "CNNVD", id: "CNNVD-202006-1208", ident: null, }, { date: "2020-07-16T20:15:11.057000", db: "NVD", id: "CVE-2020-12009", ident: null, }, ], }, sources_update_date: { _id: null, data: [ { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-777", ident: null, }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34371", ident: null, }, { date: "2020-07-30T00:00:00", db: "CNNVD", id: "CNNVD-202006-1208", ident: null, }, { date: "2024-11-21T04:59:06.433000", db: "NVD", id: "CVE-2020-12009", ident: null, }, ], }, threat_type: { _id: null, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202006-1208", }, ], trust: 0.6, }, title: { _id: null, data: "(Pwn2Own) ICONICS Genesis64 PKGX WbPackAndGoSettings Absolute Path Traversal Remote Code Execution Vulnerability", sources: [ { db: "ZDI", id: "ZDI-20-777", }, ], trust: 0.7, }, type: { _id: null, data: "Code problem", sources: [ { db: "IVD", id: "d97cb3a1-cb5e-4bb3-b9b8-62a73dd1f132", }, { db: "IVD", id: "2aea7bb9-a918-4ccf-a751-b9794df3809b", }, { db: "CNNVD", id: "CNNVD-202006-1208", }, ], trust: 1, }, }
var-202201-0603
Vulnerability from variot
Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products. Mitsubishi Electric products and multiple ICONICS There are unspecified vulnerabilities in the product.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Mitsubishi Electric MC Works64 is a set of data acquisition and monitoring and control system (SCADA) of Japan's Mitsubishi Electric (Mitsubishi Electric).
A security vulnerability exists in Mitsubishi Electric MC Works64 that originates in the ICONICS and Mitsubishi Electric ICONICS product suites. The FrameWorX server in the Mitsubishi Electric MC Works64 product could allow an attacker to exploit the vulnerability to open a WebSocket endpoint (port 80 or 443) when bypassing GENESIS64 MC Works64 security. No detailed vulnerability details are currently provided
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202201-0603", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "mobilehmi", scope: "lte", trust: 1, vendor: "iconics", version: "10.97", }, { model: "mc works64", scope: "gte", trust: 1, vendor: "mitsubishielectric", version: "10.95.201.23", }, { model: "genesis64", scope: "gte", trust: 1, vendor: "iconics", version: "10.95.3", }, { model: "analytix", scope: "lte", trust: 1, vendor: "iconics", version: "10.97", }, { model: "analytix", scope: "gte", trust: 1, vendor: "iconics", version: "10.95.3", }, { model: "genesis64", scope: "lte", trust: 1, vendor: "iconics", version: "10.97", }, { model: "hyper historian", scope: "gte", trust: 1, vendor: "iconics", version: "10.95.3", }, { model: "mobilehmi", scope: "gte", trust: 1, vendor: "iconics", version: "10.95.3", }, { model: "mc works64", scope: "lte", trust: 1, vendor: "mitsubishielectric", version: "10.95.210.01", }, { model: "hyper historian", scope: "lte", trust: 1, vendor: "iconics", version: "10.97", }, { model: "hyper historian", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { model: "mc works64", scope: "eq", trust: 0.8, vendor: "三菱電機", version: "4.00a (10.95.201.23) to 4.04e (10.95.210.01)", }, { model: "mobilehmi", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { model: "analytix", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { model: "genesis 64", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { model: "electric mc works64", scope: "gte", trust: 0.6, vendor: "mitsubishi", version: "10.95.201.23,<=10.95.210.01", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "NVD", id: "CVE-2022-23128", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "ICONICS and Mitsubishi Electric reported these vulnerabilities to CISA.", sources: [ { db: "CNNVD", id: "CNNVD-202201-1829", }, ], trust: 0.6, }, cve: "CVE-2022-23128", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2022-23128", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 1.9, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CNVD-2022-08358", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2022-23128", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 9.8, baseSeverity: "Critical", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2022-23128", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2022-23128", trust: 1, value: "CRITICAL", }, { author: "NVD", id: "CVE-2022-23128", trust: 0.8, value: "Critical", }, { author: "CNVD", id: "CNVD-2022-08358", trust: 0.6, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202201-1829", trust: 0.6, value: "CRITICAL", }, { author: "VULMON", id: "CVE-2022-23128", trust: 0.1, value: "HIGH", }, ], }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, { db: "VULMON", id: "CVE-2022-23128", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "CNNVD", id: "CNNVD-202201-1829", }, { db: "NVD", id: "CVE-2022-23128", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products. Mitsubishi Electric products and multiple ICONICS There are unspecified vulnerabilities in the product.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Mitsubishi Electric MC Works64 is a set of data acquisition and monitoring and control system (SCADA) of Japan's Mitsubishi Electric (Mitsubishi Electric). \n\r\n\r\nA security vulnerability exists in Mitsubishi Electric MC Works64 that originates in the ICONICS and Mitsubishi Electric ICONICS product suites. The FrameWorX server in the Mitsubishi Electric MC Works64 product could allow an attacker to exploit the vulnerability to open a WebSocket endpoint (port 80 or 443) when bypassing GENESIS64 MC Works64 security. No detailed vulnerability details are currently provided", sources: [ { db: "NVD", id: "CVE-2022-23128", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "CNVD", id: "CNVD-2022-08358", }, { db: "VULMON", id: "CVE-2022-23128", }, ], trust: 2.25, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2022-23128", trust: 3.9, }, { db: "ICS CERT", id: "ICSA-22-020-01", trust: 3.1, }, { db: "JVN", id: "JVNVU95403720", trust: 2.5, }, { db: "JVNDB", id: "JVNDB-2022-003883", trust: 0.8, }, { db: "CNVD", id: "CNVD-2022-08358", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.0311", trust: 0.6, }, { db: "CS-HELP", id: "SB2022012108", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202201-1829", trust: 0.6, }, { db: "VULMON", id: "CVE-2022-23128", trust: 0.1, }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, { db: "VULMON", id: "CVE-2022-23128", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "CNNVD", id: "CNNVD-202201-1829", }, { db: "NVD", id: "CVE-2022-23128", }, ], }, id: "VAR-202201-0603", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, ], trust: 1.6, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "ICS", ], sub_category: null, trust: 0.6, }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, ], }, last_update_date: "2024-11-23T21:33:22.067000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Top Page Mitsubishi Electric Mitsubishi Electric Corporation", trust: 0.8, url: "https://iconics.com/", }, { title: "Patch for Unknown Vulnerability in Mitsubishi Electric MC Works64", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/317671", }, { title: "Mitsubishi Electric MC Works64 Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=179152", }, { title: "CVE-2022-XXXX", trust: 0.1, url: "https://github.com/AlphabugX/CVE-2022-23305 ", }, { title: "CVE-2022-XXXX", trust: 0.1, url: "https://github.com/AlphabugX/CVE-2022-RCE ", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, { db: "VULMON", id: "CVE-2022-23128", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "CNNVD", id: "CNNVD-202201-1829", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "NVD-CWE-Other", trust: 1, }, { problemtype: "others (CWE-Other) [NVD evaluation ]", trust: 0.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "NVD", id: "CVE-2022-23128", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.8, url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { trust: 1.7, url: "https://jvn.jp/vu/jvnvu95403720/index.html", }, { trust: 1.7, url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", }, { trust: 1.4, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23128", }, { trust: 1.2, url: "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01", }, { trust: 0.8, url: "https://jvn.jp/vu/jvnvu95403720/", }, { trust: 0.8, url: "https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.0311", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/iconics-genesis64-four-vulnerabilities-37339", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022012108", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/.html", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://github.com/alphabugx/cve-2022-23305", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08358", }, { db: "VULMON", id: "CVE-2022-23128", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "CNNVD", id: "CNNVD-202201-1829", }, { db: "NVD", id: "CVE-2022-23128", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "CNVD", id: "CNVD-2022-08358", }, { db: "VULMON", id: "CVE-2022-23128", }, { db: "JVNDB", id: "JVNDB-2022-003883", }, { db: "CNNVD", id: "CNNVD-202201-1829", }, { db: "NVD", id: "CVE-2022-23128", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-02-05T00:00:00", db: "CNVD", id: "CNVD-2022-08358", }, { date: "2022-01-21T00:00:00", db: "VULMON", id: "CVE-2022-23128", }, { date: "2023-03-10T00:00:00", db: "JVNDB", id: "JVNDB-2022-003883", }, { date: "2022-01-20T00:00:00", db: "CNNVD", id: "CNNVD-202201-1829", }, { date: "2022-01-21T19:15:09.977000", db: "NVD", id: "CVE-2022-23128", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-06-13T00:00:00", db: "CNVD", id: "CNVD-2022-08358", }, { date: "2022-01-27T00:00:00", db: "VULMON", id: "CVE-2022-23128", }, { date: "2023-03-10T03:20:00", db: "JVNDB", id: "JVNDB-2022-003883", }, { date: "2022-02-14T00:00:00", db: "CNNVD", id: "CNNVD-202201-1829", }, { date: "2024-11-21T06:48:03.407000", db: "NVD", id: "CVE-2022-23128", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202201-1829", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Mitsubishi Electric products and multiple ICONICS Product vulnerabilities", sources: [ { db: "JVNDB", id: "JVNDB-2022-003883", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "other", sources: [ { db: "CNNVD", id: "CNNVD-202201-1829", }, ], trust: 0.6, }, }
var-202007-1433
Vulnerability from variot
A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of requests to the TestQuery endpoint of the IcoFwxServer service. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the current process.
There is a code injection vulnerability in Mitsubishi Electric MC Works64 4.02C (10.95.208.31) and previous versions and MC Works32 3.00A (9.50.255.02) version, remote attackers can use the specially crafted message to exploit this vulnerability to execute arbitrary SQL commands and leak, tamper with internal data. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Show details on source website{ affected_products: { _id: null, data: [ { _id: null, model: "electric mc works64 <=4.02c", scope: "eq", trust: 1, vendor: "mitsubishi", version: "(10.95.208.31)", }, { _id: null, model: "energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "mc works64", scope: "lte", trust: 1, vendor: "mitsubishielectric", version: "10.95.208.31", }, { _id: null, model: "mobilehmi", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "bizviz", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "facility analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "mc works32", scope: "eq", trust: 1, vendor: "mitsubishielectric", version: "9.50.255.02", }, { _id: null, model: "genesis64", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "genesis32", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "quality analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "hyper historian", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "smart energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "genesis64", scope: null, trust: 0.7, vendor: "iconics", version: null, }, { _id: null, model: "electric mc works32 3.00a", scope: "eq", trust: 0.6, vendor: "mitsubishi", version: "(9.50.255.02)", }, { _id: null, model: "electric mc works32 3.00a", scope: "eq", trust: 0.4, vendor: "mitsubishi", version: "(9.50.255.02)*", }, ], sources: [ { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", }, { db: "ZDI", id: "ZDI-20-779", }, { db: "CNVD", id: "CNVD-2020-34370", }, { db: "NVD", id: "CVE-2020-12013", }, ], }, credits: { _id: null, data: "Ben McBride", sources: [ { db: "ZDI", id: "ZDI-20-779", }, ], trust: 0.7, }, cve: "CVE-2020-12013", cvss: { _id: null, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2020-12013", impactScore: 4.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "PARTIAL", baseScore: 9.7, confidentialityImpact: "COMPLETE", exploitabilityScore: 10, id: "CNVD-2020-34370", impactScore: 9.5, integrityImpact: "COMPLETE", severity: "HIGH", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "PARTIAL", baseScore: 9.7, confidentialityImpact: "COMPLETE", exploitabilityScore: 10, id: "619034f0-2a16-43eb-8d34-f889bd91a2af", impactScore: 9.5, integrityImpact: "COMPLETE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:P", version: "2.9 [IVD]", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "PARTIAL", baseScore: 9.7, confidentialityImpact: "COMPLETE", exploitabilityScore: 10, id: "e2b262e1-e8a9-471a-a771-486f23cd118b", impactScore: 9.5, integrityImpact: "COMPLETE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:P", version: "2.9 [IVD]", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2020-12013", impactScore: 5.2, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, { attackComplexity: "LOW", attackVector: "NETWORK", author: "ZDI", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2020-12013", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 0.7, userInteraction: "NONE", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-12013", trust: 1, value: "CRITICAL", }, { author: "ZDI", id: "CVE-2020-12013", trust: 0.7, value: "CRITICAL", }, { author: "CNVD", id: "CNVD-2020-34370", trust: 0.6, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202006-1207", trust: 0.6, value: "CRITICAL", }, { author: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", trust: 0.2, value: "HIGH", }, { author: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", trust: 0.2, value: "HIGH", }, ], }, ], sources: [ { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", }, { db: "ZDI", id: "ZDI-20-779", }, { db: "CNVD", id: "CNVD-2020-34370", }, { db: "CNNVD", id: "CNNVD-202006-1207", }, { db: "NVD", id: "CVE-2020-12013", }, ], }, description: { _id: null, data: "A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of requests to the TestQuery endpoint of the IcoFwxServer service. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the current process. \n\r\n\r\nThere is a code injection vulnerability in Mitsubishi Electric MC Works64 4.02C (10.95.208.31) and previous versions and MC Works32 3.00A (9.50.255.02) version, remote attackers can use the specially crafted message to exploit this vulnerability to execute arbitrary SQL commands and leak, tamper with internal data. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided", sources: [ { db: "NVD", id: "CVE-2020-12013", }, { db: "ZDI", id: "ZDI-20-779", }, { db: "CNVD", id: "CNVD-2020-34370", }, { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", }, ], trust: 2.43, }, external_ids: { _id: null, data: [ { db: "NVD", id: "CVE-2020-12013", trust: 3.3, }, { db: "ICS CERT", id: "ICSA-20-170-02", trust: 2.2, }, { db: "ICS CERT", id: "ICSA-20-170-03", trust: 1.6, }, { db: "ZDI", id: "ZDI-20-779", trust: 1.3, }, { db: "CNVD", id: "CNVD-2020-34370", trust: 1, }, { db: "CNNVD", id: "CNNVD-202006-1207", trust: 1, }, { db: "ZDI_CAN", id: "ZDI-CAN-10288", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2020.2147", trust: 0.6, }, { db: "IVD", id: "619034F0-2A16-43EB-8D34-F889BD91A2AF", trust: 0.2, }, { db: "IVD", id: "E2B262E1-E8A9-471A-A771-486F23CD118B", trust: 0.2, }, ], sources: [ { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", }, { db: "ZDI", id: "ZDI-20-779", }, { db: "CNVD", id: "CNVD-2020-34370", }, { db: "CNNVD", id: "CNNVD-202006-1207", }, { db: "NVD", id: "CVE-2020-12013", }, ], }, id: "VAR-202007-1433", iot: { _id: null, data: true, sources: [ { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", }, { db: "CNVD", id: "CNVD-2020-34370", }, ], trust: 1.78927874, }, iot_taxonomy: { _id: null, data: [ { category: [ "ICS", ], sub_category: null, trust: 1, }, ], sources: [ { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", }, { db: "CNVD", id: "CNVD-2020-34370", }, ], }, last_update_date: "2024-11-23T22:11:26.821000Z", patch: { _id: null, data: [ { title: "ICONICS has issued an update to correct this vulnerability.", trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { title: "Patch for Mitsubishi Electric MC Works64 and MC Works32 code injection vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/222939", }, ], sources: [ { db: "ZDI", id: "ZDI-20-779", }, { db: "CNVD", id: "CNVD-2020-34370", }, ], }, problemtype_data: { _id: null, data: [ { problemtype: "CWE-89", trust: 1, }, { problemtype: "CWE-94", trust: 1, }, ], sources: [ { db: "NVD", id: "CVE-2020-12013", }, ], }, references: { _id: null, data: [ { trust: 1.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { trust: 1.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { trust: 1.2, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { trust: 0.6, url: "https://www.zerodayinitiative.com/advisories/zdi-20-779/", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/iconics-genesis32-genesis64-multiple-vulnerabilities-32668", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2147/", }, { trust: 0.6, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12013", }, ], sources: [ { db: "ZDI", id: "ZDI-20-779", }, { db: "CNVD", id: "CNVD-2020-34370", }, { db: "CNNVD", id: "CNNVD-202006-1207", }, { db: "NVD", id: "CVE-2020-12013", }, ], }, sources: { _id: null, data: [ { db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", ident: null, }, { db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", ident: null, }, { db: "ZDI", id: "ZDI-20-779", ident: null, }, { db: "CNVD", id: "CNVD-2020-34370", ident: null, }, { db: "CNNVD", id: "CNNVD-202006-1207", ident: null, }, { db: "NVD", id: "CVE-2020-12013", ident: null, }, ], }, sources_release_date: { _id: null, data: [ { date: "2020-06-18T00:00:00", db: "IVD", id: "619034f0-2a16-43eb-8d34-f889bd91a2af", ident: null, }, { date: "2020-06-18T00:00:00", db: "IVD", id: "e2b262e1-e8a9-471a-a771-486f23cd118b", ident: null, }, { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-779", ident: null, }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34370", ident: null, }, { date: "2020-06-18T00:00:00", db: "CNNVD", id: "CNNVD-202006-1207", ident: null, }, { date: "2020-07-16T22:15:11.417000", db: "NVD", id: "CVE-2020-12013", ident: null, }, ], }, sources_update_date: { _id: null, data: [ { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-779", ident: null, }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34370", ident: null, }, { date: "2021-11-08T00:00:00", db: "CNNVD", id: "CNNVD-202006-1207", ident: null, }, { date: "2024-11-21T04:59:06.937000", db: "NVD", id: "CVE-2020-12013", ident: null, }, ], }, threat_type: { _id: null, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202006-1207", }, ], trust: 0.6, }, title: { _id: null, data: "ICONICS Genesis64 TestQuery SQL Injection Remote Code Execution Vulnerability", sources: [ { db: "ZDI", id: "ZDI-20-779", }, ], trust: 0.7, }, type: { _id: null, data: "SQL injection", sources: [ { db: "CNNVD", id: "CNNVD-202006-1207", }, ], trust: 0.6, }, }
var-202007-0207
Vulnerability from variot
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of indexes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Mitsubishi Electric MC Works64 and MC Works32 are a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202007-0207", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "electric mc works64 <=4.02c", scope: "eq", trust: 1, vendor: "mitsubishi", version: "(10.95.208.31)", }, { model: "energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "mc works", scope: "lte", trust: 1, vendor: "mitsubishielectric", version: "10.95.208.31", }, { model: "mobilehmi", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "bizviz", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "facility analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "mc works32", scope: "eq", trust: 1, vendor: "mitsubishielectric", version: "9.50.255.02", }, { model: "genesis64", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "genesis32", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "quality analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "hyper historian", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "smart energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "genesis64", scope: null, trust: 0.7, vendor: "iconics", version: null, }, { model: "electric mc works32 3.00a", scope: "eq", trust: 0.6, vendor: "mitsubishi", version: "(9.50.255.02)", }, { model: "electric mc works32 3.00a", scope: "eq", trust: 0.4, vendor: "mitsubishi", version: "(9.50.255.02)*", }, ], sources: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, { db: "NVD", id: "CVE-2020-12011", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi", sources: [ { db: "ZDI", id: "ZDI-20-778", }, ], trust: 0.7, }, cve: "CVE-2020-12011", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2020-12011", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "COMPLETE", baseScore: 7.6, confidentialityImpact: "COMPLETE", exploitabilityScore: 4.9, id: "CNVD-2020-34373", impactScore: 10, integrityImpact: "COMPLETE", severity: "HIGH", trust: 0.6, vectorString: "AV:N/AC:H/Au:N/C:C/I:C/A:C", version: "2.0", }, { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.6, confidentialityImpact: "COMPLETE", exploitabilityScore: 4.9, id: "2e91579b-642f-4242-83f1-d1d890cc5345", impactScore: 10, integrityImpact: "COMPLETE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:H/Au:N/C:C/I:C/A:C", version: "2.9 [IVD]", }, { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.6, confidentialityImpact: "COMPLETE", exploitabilityScore: 4.9, id: "213f4b05-e0a3-4f65-b456-b752579d9402", impactScore: 10, integrityImpact: "COMPLETE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:H/Au:N/C:C/I:C/A:C", version: "2.9 [IVD]", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2020-12011", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "LOW", attackVector: "NETWORK", author: "ZDI", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2020-12011", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 0.7, userInteraction: "NONE", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-12011", trust: 1, value: "CRITICAL", }, { author: "ZDI", id: "CVE-2020-12011", trust: 0.7, value: "CRITICAL", }, { author: "CNVD", id: "CNVD-2020-34373", trust: 0.6, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202006-1210", trust: 0.6, value: "CRITICAL", }, { author: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", trust: 0.2, value: "HIGH", }, { author: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", trust: 0.2, value: "HIGH", }, ], }, ], sources: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, { db: "CNNVD", id: "CNNVD-202006-1210", }, { db: "NVD", id: "CVE-2020-12011", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of indexes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Mitsubishi Electric MC Works64 and MC Works32 are a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided", sources: [ { db: "NVD", id: "CVE-2020-12011", }, { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, ], trust: 2.43, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2020-12011", trust: 3.3, }, { db: "ICS CERT", id: "ICSA-20-170-02", trust: 2.2, }, { db: "ICS CERT", id: "ICSA-20-170-03", trust: 1.6, }, { db: "ZDI", id: "ZDI-20-778", trust: 1.3, }, { db: "CNVD", id: "CNVD-2020-34373", trust: 1, }, { db: "CNNVD", id: "CNNVD-202006-1210", trust: 1, }, { db: "ZDI_CAN", id: "ZDI-CAN-10274", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2020.2147", trust: 0.6, }, { db: "IVD", id: "2E91579B-642F-4242-83F1-D1D890CC5345", trust: 0.2, }, { db: "IVD", id: "213F4B05-E0A3-4F65-B456-B752579D9402", trust: 0.2, }, ], sources: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, { db: "CNNVD", id: "CNNVD-202006-1210", }, { db: "NVD", id: "CVE-2020-12011", }, ], }, id: "VAR-202007-0207", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "CNVD", id: "CNVD-2020-34373", }, ], trust: 1.78927874, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "ICS", ], sub_category: null, trust: 1, }, ], sources: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "CNVD", id: "CNVD-2020-34373", }, ], }, last_update_date: "2024-11-23T22:11:26.786000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "ICONICS has issued an update to correct this vulnerability.", trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { title: "Patch for Mitsubishi Electric MC Works64 and MC Works32 buffer overflow vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/222929", }, ], sources: [ { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-787", trust: 1, }, ], sources: [ { db: "NVD", id: "CVE-2020-12011", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { trust: 1.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { trust: 1.2, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { trust: 0.6, url: "https://www.zerodayinitiative.com/advisories/zdi-20-778/", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/iconics-genesis32-genesis64-multiple-vulnerabilities-32668", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2147/", }, { trust: 0.6, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12011", }, ], sources: [ { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, { db: "CNNVD", id: "CNNVD-202006-1210", }, { db: "NVD", id: "CVE-2020-12011", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "ZDI", id: "ZDI-20-778", }, { db: "CNVD", id: "CNVD-2020-34373", }, { db: "CNNVD", id: "CNNVD-202006-1210", }, { db: "NVD", id: "CVE-2020-12011", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-06-18T00:00:00", db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { date: "2020-06-18T00:00:00", db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-778", }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34373", }, { date: "2020-06-18T00:00:00", db: "CNNVD", id: "CNNVD-202006-1210", }, { date: "2020-07-16T19:15:11.830000", db: "NVD", id: "CVE-2020-12011", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-778", }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34373", }, { date: "2020-07-30T00:00:00", db: "CNNVD", id: "CNNVD-202006-1210", }, { date: "2024-11-21T04:59:06.677000", db: "NVD", id: "CVE-2020-12011", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202006-1210", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "(Pwn2Own) ICONICS Genesis64 VariantClear Out-Of-Bounds Access Remote Code Execution Vulnerability", sources: [ { db: "ZDI", id: "ZDI-20-778", }, ], trust: 0.7, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Buffer error", sources: [ { db: "IVD", id: "2e91579b-642f-4242-83f1-d1d890cc5345", }, { db: "IVD", id: "213f4b05-e0a3-4f65-b456-b752579d9402", }, { db: "CNNVD", id: "CNNVD-202006-1210", }, ], trust: 1, }, }
var-202201-0605
Vulnerability from variot
Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. Mitsubishi Electric MC Works64 and ICONICS MobileHMI Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. An attacker could exploit this vulnerability to execute JavaScript code on the client side
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202201-0605", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "mc works64", scope: "lt", trust: 1, vendor: "mitsubishielectric", version: "10.95.210.01", }, { model: "mobilehmi", scope: "lte", trust: 1, vendor: "iconics", version: "10.96.2", }, { model: "mc works64", scope: "lte", trust: 0.8, vendor: "三菱電機", version: "4.04e (10.95.210.01) and earlier", }, { model: "mobilehmi", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { model: "electric mc works64", scope: "lt", trust: 0.6, vendor: "mitsubishi", version: "10.95.210.01", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "NVD", id: "CVE-2022-23127", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "ICONICS and Mitsubishi Electric reported these vulnerabilities to CISA.", sources: [ { db: "CNNVD", id: "CNNVD-202201-1854", }, ], trust: 0.6, }, cve: "CVE-2022-23127", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "CVE-2022-23127", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "CNVD-2022-08219", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.6, vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", exploitabilityScore: 2.8, id: "CVE-2022-23127", impactScore: 2.7, integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", trust: 1, userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "None", baseScore: 6.1, baseSeverity: "Medium", confidentialityImpact: "Low", exploitabilityScore: null, id: "CVE-2022-23127", impactScore: null, integrityImpact: "Low", privilegesRequired: "None", scope: "Changed", trust: 0.8, userInteraction: "Required", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2022-23127", trust: 1, value: "MEDIUM", }, { author: "NVD", id: "CVE-2022-23127", trust: 0.8, value: "Medium", }, { author: "CNVD", id: "CNVD-2022-08219", trust: 0.6, value: "MEDIUM", }, { author: "CNNVD", id: "CNNVD-202201-1854", trust: 0.6, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2022-23127", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "VULMON", id: "CVE-2022-23127", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "CNNVD", id: "CNNVD-202201-1854", }, { db: "NVD", id: "CVE-2022-23127", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. Mitsubishi Electric MC Works64 and ICONICS MobileHMI Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. An attacker could exploit this vulnerability to execute JavaScript code on the client side", sources: [ { db: "NVD", id: "CVE-2022-23127", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "CNVD", id: "CNVD-2022-08219", }, { db: "VULMON", id: "CVE-2022-23127", }, ], trust: 2.25, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2022-23127", trust: 3.9, }, { db: "ICS CERT", id: "ICSA-22-020-01", trust: 2.5, }, { db: "JVN", id: "JVNVU95403720", trust: 2.5, }, { db: "JVNDB", id: "JVNDB-2022-003885", trust: 0.8, }, { db: "CNVD", id: "CNVD-2022-08219", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.0311", trust: 0.6, }, { db: "CS-HELP", id: "SB2022012109", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202201-1854", trust: 0.6, }, { db: "VULMON", id: "CVE-2022-23127", trust: 0.1, }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "VULMON", id: "CVE-2022-23127", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "CNNVD", id: "CNNVD-202201-1854", }, { db: "NVD", id: "CVE-2022-23127", }, ], }, id: "VAR-202201-0605", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, ], trust: 1.6, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "ICS", ], sub_category: null, trust: 0.6, }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, ], }, last_update_date: "2024-11-23T21:33:22.098000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Top Page Mitsubishi Electric Mitsubishi Electric Corporation", trust: 0.8, url: "https://iconics.com/", }, { title: "Patch for Mitsubishi Electric MC Works64 Cross-Site Scripting Vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/317286", }, { title: "Mitsubishi Electric MC Works64 Fixes for cross-site scripting vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=179842", }, { title: "CVE-2022-XXXX", trust: 0.1, url: "https://github.com/AlphabugX/CVE-2022-23305 ", }, { title: "CVE-2022-XXXX", trust: 0.1, url: "https://github.com/AlphabugX/CVE-2022-RCE ", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "VULMON", id: "CVE-2022-23127", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "CNNVD", id: "CNNVD-202201-1854", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-79", trust: 1, }, { problemtype: "Cross-site scripting (CWE-79) [NVD evaluation ]", trust: 0.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "NVD", id: "CVE-2022-23127", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.8, url: "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", }, { trust: 1.7, url: "https://jvn.jp/vu/jvnvu95403720/index.html", }, { trust: 1.7, url: "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", }, { trust: 1.4, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23127", }, { trust: 1.2, url: "https://vigilance.fr/vulnerability/iconics-genesis64-four-vulnerabilities-37339", }, { trust: 0.8, url: "https://jvn.jp/vu/jvnvu95403720/", }, { trust: 0.8, url: "https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.0311", }, { trust: 0.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022012109", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/79.html", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://github.com/alphabugx/cve-2022-23305", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "VULMON", id: "CVE-2022-23127", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "CNNVD", id: "CNNVD-202201-1854", }, { db: "NVD", id: "CVE-2022-23127", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "VULMON", id: "CVE-2022-23127", }, { db: "JVNDB", id: "JVNDB-2022-003885", }, { db: "CNNVD", id: "CNNVD-202201-1854", }, { db: "NVD", id: "CVE-2022-23127", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-02-03T00:00:00", db: "CNVD", id: "CNVD-2022-08219", }, { date: "2022-01-21T00:00:00", db: "VULMON", id: "CVE-2022-23127", }, { date: "2023-03-10T00:00:00", db: "JVNDB", id: "JVNDB-2022-003885", }, { date: "2022-01-20T00:00:00", db: "CNNVD", id: "CNNVD-202201-1854", }, { date: "2022-01-21T19:15:09.913000", db: "NVD", id: "CVE-2022-23127", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-02-03T00:00:00", db: "CNVD", id: "CNVD-2022-08219", }, { date: "2022-01-27T00:00:00", db: "VULMON", id: "CVE-2022-23127", }, { date: "2023-03-10T03:26:00", db: "JVNDB", id: "JVNDB-2022-003885", }, { date: "2022-02-14T00:00:00", db: "CNNVD", id: "CNNVD-202201-1854", }, { date: "2024-11-21T06:48:03.273000", db: "NVD", id: "CVE-2022-23127", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202201-1854", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Mitsubishi Electric MC Works64 Cross-Site Scripting Vulnerability", sources: [ { db: "CNVD", id: "CNVD-2022-08219", }, { db: "CNNVD", id: "CNNVD-202201-1854", }, ], trust: 1.2, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "XSS", sources: [ { db: "CNNVD", id: "CNNVD-202201-1854", }, ], trust: 0.6, }, }
var-202007-0205
Vulnerability from variot
A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. Authentication is not required to exploit this vulnerability.The specific flaw exists with the handling of serialized objects. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Mitsubishi Electric MC Works64 is a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202007-0205", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "electric mc works64 <=4.02c", scope: "eq", trust: 1, vendor: "mitsubishi", version: "(10.95.208.31)", }, { model: "energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "mc works", scope: "lte", trust: 1, vendor: "mitsubishielectric", version: "10.95.208.31", }, { model: "mobilehmi", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "bizviz", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "facility analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "mc works32", scope: "eq", trust: 1, vendor: "mitsubishielectric", version: "9.50.255.02", }, { model: "genesis64", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "genesis32", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "quality analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "hyper historian", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "smart energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { model: "genesis64", scope: null, trust: 0.7, vendor: "iconics", version: null, }, ], sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, { db: "NVD", id: "CVE-2020-12007", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Yehuda Anikster of Claroty Research", sources: [ { db: "ZDI", id: "ZDI-20-776", }, ], trust: 0.7, }, cve: "CVE-2020-12007", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2020-12007", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 1.1, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CNVD-2020-34369", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.9 [IVD]", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.9 [IVD]", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2020-12007", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "LOW", attackVector: "NETWORK", author: "ZDI", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2020-12007", impactScore: 1.4, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 0.7, userInteraction: "NONE", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-12007", trust: 1, value: "CRITICAL", }, { author: "ZDI", id: "CVE-2020-12007", trust: 0.7, value: "MEDIUM", }, { author: "CNVD", id: "CNVD-2020-34369", trust: 0.6, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202006-1227", trust: 0.6, value: "CRITICAL", }, { author: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", trust: 0.2, value: "HIGH", }, { author: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", trust: 0.2, value: "HIGH", }, { author: "VULMON", id: "CVE-2020-12007", trust: 0.1, value: "HIGH", }, ], }, ], sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, { db: "VULMON", id: "CVE-2020-12007", }, { db: "CNNVD", id: "CNNVD-202006-1227", }, { db: "NVD", id: "CVE-2020-12007", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. Authentication is not required to exploit this vulnerability.The specific flaw exists with the handling of serialized objects. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Mitsubishi Electric MC Works64 is a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided", sources: [ { db: "NVD", id: "CVE-2020-12007", }, { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "VULMON", id: "CVE-2020-12007", }, ], trust: 2.52, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2020-12007", trust: 3.4, }, { db: "ICS CERT", id: "ICSA-20-170-02", trust: 2.3, }, { db: "ICS CERT", id: "ICSA-20-170-03", trust: 1.7, }, { db: "ZDI", id: "ZDI-20-776", trust: 1.3, }, { db: "CNVD", id: "CNVD-2020-34369", trust: 1, }, { db: "CNNVD", id: "CNNVD-202006-1227", trust: 1, }, { db: "ZDI_CAN", id: "ZDI-CAN-10267", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2020.2147", trust: 0.6, }, { db: "IVD", id: "B28667EE-4B0F-4654-BD4F-FBB2C24C795A", trust: 0.2, }, { db: "IVD", id: "36556B9E-B308-4C4F-A8AF-5FCE9F89C31B", trust: 0.2, }, { db: "VULMON", id: "CVE-2020-12007", trust: 0.1, }, ], sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, { db: "VULMON", id: "CVE-2020-12007", }, { db: "CNNVD", id: "CNNVD-202006-1227", }, { db: "NVD", id: "CVE-2020-12007", }, ], }, id: "VAR-202007-0205", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "CNVD", id: "CNVD-2020-34369", }, ], trust: 1.736598425, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "ICS", ], sub_category: null, trust: 1, }, ], sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "CNVD", id: "CNVD-2020-34369", }, ], }, last_update_date: "2024-11-23T22:11:26.672000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "ICONICS has issued an update to correct this vulnerability.", trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { title: "Patch for Mitsubishi Electric MC Works64 code issue vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/222941", }, ], sources: [ { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-502", trust: 1, }, ], sources: [ { db: "NVD", id: "CVE-2020-12007", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.7, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { trust: 1.2, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { trust: 1, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02%2c", }, { trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { trust: 0.6, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { trust: 0.6, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12007", }, { trust: 0.6, url: "https://www.zerodayinitiative.com/advisories/zdi-20-776/", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/iconics-genesis32-genesis64-multiple-vulnerabilities-32668", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2147/", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/502.html", }, { trust: 0.1, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02,", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/183626", }, ], sources: [ { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, { db: "VULMON", id: "CVE-2020-12007", }, { db: "CNNVD", id: "CNNVD-202006-1227", }, { db: "NVD", id: "CVE-2020-12007", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "ZDI", id: "ZDI-20-776", }, { db: "CNVD", id: "CNVD-2020-34369", }, { db: "VULMON", id: "CVE-2020-12007", }, { db: "CNNVD", id: "CNNVD-202006-1227", }, { db: "NVD", id: "CVE-2020-12007", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-06-18T00:00:00", db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { date: "2020-06-18T00:00:00", db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-776", }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34369", }, { date: "2020-07-16T00:00:00", db: "VULMON", id: "CVE-2020-12007", }, { date: "2020-06-18T00:00:00", db: "CNNVD", id: "CNNVD-202006-1227", }, { date: "2020-07-16T22:15:11.337000", db: "NVD", id: "CVE-2020-12007", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-776", }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34369", }, { date: "2020-07-29T00:00:00", db: "VULMON", id: "CVE-2020-12007", }, { date: "2020-07-30T00:00:00", db: "CNNVD", id: "CNNVD-202006-1227", }, { date: "2024-11-21T04:59:06.190000", db: "NVD", id: "CVE-2020-12007", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202006-1227", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Mitsubishi Electric MC Works64 Code Issue Vulnerability", sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "CNVD", id: "CNVD-2020-34369", }, ], trust: 1, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Code problem", sources: [ { db: "IVD", id: "b28667ee-4b0f-4654-bd4f-fbb2c24c795a", }, { db: "IVD", id: "36556b9e-b308-4c4f-a8af-5fce9f89c31b", }, { db: "CNNVD", id: "CNNVD-202006-1227", }, ], trust: 1, }, }
var-202007-0208
Vulnerability from variot
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. Several Mitsubishi Electric products contain vulnerabilities related to unreliable data deserialization.Service operation interruption (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists with the handling of serialized objects. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Mitsubishi Electric MC Works64 and MC Works32 are a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Show details on source website{ affected_products: { _id: null, data: [ { _id: null, model: "electric mc works64 <=4.02c", scope: "eq", trust: 1, vendor: "mitsubishi", version: "(10.95.208.31)", }, { _id: null, model: "energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "mc works", scope: "lte", trust: 1, vendor: "mitsubishielectric", version: "10.95.208.31", }, { _id: null, model: "mobilehmi", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "bizviz", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "facility analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "mc works32", scope: "eq", trust: 1, vendor: "mitsubishielectric", version: "9.50.255.02", }, { _id: null, model: "genesis64", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "genesis32", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "quality analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "hyper historian", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "smart energy analytix", scope: "eq", trust: 1, vendor: "iconics", version: null, }, { _id: null, model: "bizviz", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "energy analytix", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "facility analytix", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "genesis 64", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "genesis32", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "hyper historian", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "mobilehmi", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "quality analytix", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "smart energy analytix", scope: null, trust: 0.8, vendor: "iconics", version: null, }, { _id: null, model: "mc works", scope: "eq", trust: 0.8, vendor: "mitsubishi electric", version: "64", }, { _id: null, model: "mc works 32", scope: null, trust: 0.8, vendor: "mitsubishi electric", version: null, }, { _id: null, model: "genesis64", scope: null, trust: 0.7, vendor: "iconics", version: null, }, { _id: null, model: "electric mc works32 3.00a", scope: "eq", trust: 0.6, vendor: "mitsubishi", version: "(9.50.255.02)", }, { _id: null, model: "electric mc works32 3.00a", scope: "eq", trust: 0.4, vendor: "mitsubishi", version: "(9.50.255.02)*", }, ], sources: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, { db: "ZDI", id: "ZDI-20-780", }, { db: "CNVD", id: "CNVD-2020-34372", }, { db: "JVNDB", id: "JVNDB-2020-008308", }, { db: "NVD", id: "CVE-2020-12015", }, ], }, configurations: { _id: null, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:iconics:bizviz", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:energy_analytix", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:facility_analytix", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:genesis64", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:genesis32", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:hyper_historian", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:mobilehmi", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:quality_analytix", vulnerable: true, }, { cpe22Uri: "cpe:/a:iconics:smart_energy_analytix", vulnerable: true, }, { cpe22Uri: "cpe:/a:mitsubishielectric:mc_works", vulnerable: true, }, { cpe22Uri: "cpe:/a:mitsubishielectric:mc_works32", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-008308", }, ], }, credits: { _id: null, data: "Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team", sources: [ { db: "ZDI", id: "ZDI-20-780", }, ], trust: 0.7, }, cve: "CVE-2020-12015", cvss: { _id: null, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2020-12015", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { acInsufInfo: null, accessComplexity: "Low", accessVector: "Network", authentication: "None", author: "NVD", availabilityImpact: "Partial", baseScore: 5, confidentialityImpact: "None", exploitabilityScore: null, id: "JVNDB-2020-008308", impactScore: null, integrityImpact: "None", obtainAllPrivilege: null, obtainOtherPrivilege: null, obtainUserPrivilege: null, severity: "Medium", trust: 0.8, userInteractionRequired: null, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CNVD-2020-34372", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.9 [IVD]", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "IVD", availabilityImpact: "COMPLETE", baseScore: 7.8, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "31ad87c7-757e-410a-89c6-906cc763b446", impactScore: 6.9, integrityImpact: "NONE", severity: "HIGH", trust: 0.2, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:C", version: "2.9 [IVD]", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2020-12015", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 7.5, baseSeverity: "High", confidentialityImpact: "None", exploitabilityScore: null, id: "JVNDB-2020-008308", impactScore: null, integrityImpact: "None", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, { attackComplexity: "LOW", attackVector: "NETWORK", author: "ZDI", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2020-12015", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 0.7, userInteraction: "NONE", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-12015", trust: 1, value: "HIGH", }, { author: "NVD", id: "JVNDB-2020-008308", trust: 0.8, value: "High", }, { author: "ZDI", id: "CVE-2020-12015", trust: 0.7, value: "CRITICAL", }, { author: "CNVD", id: "CNVD-2020-34372", trust: 0.6, value: "HIGH", }, { author: "CNNVD", id: "CNNVD-202006-1209", trust: 0.6, value: "HIGH", }, { author: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", trust: 0.2, value: "HIGH", }, { author: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", trust: 0.2, value: "HIGH", }, ], }, ], sources: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, { db: "ZDI", id: "ZDI-20-780", }, { db: "CNVD", id: "CNVD-2020-34372", }, { db: "JVNDB", id: "JVNDB-2020-008308", }, { db: "CNNVD", id: "CNNVD-202006-1209", }, { db: "NVD", id: "CVE-2020-12015", }, ], }, description: { _id: null, data: "A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. Several Mitsubishi Electric products contain vulnerabilities related to unreliable data deserialization.Service operation interruption (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists with the handling of serialized objects. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Mitsubishi Electric MC Works64 and MC Works32 are a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided", sources: [ { db: "NVD", id: "CVE-2020-12015", }, { db: "JVNDB", id: "JVNDB-2020-008308", }, { db: "ZDI", id: "ZDI-20-780", }, { db: "CNVD", id: "CNVD-2020-34372", }, { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, ], trust: 3.15, }, external_ids: { _id: null, data: [ { db: "NVD", id: "CVE-2020-12015", trust: 4.1, }, { db: "ICS CERT", id: "ICSA-20-170-02", trust: 3, }, { db: "ICS CERT", id: "ICSA-20-170-03", trust: 2.4, }, { db: "ZDI", id: "ZDI-20-780", trust: 1.3, }, { db: "CNVD", id: "CNVD-2020-34372", trust: 1, }, { db: "CNNVD", id: "CNNVD-202006-1209", trust: 1, }, { db: "JVN", id: "JVNVU95379131", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2020-008308", trust: 0.8, }, { db: "ZDI_CAN", id: "ZDI-CAN-10297", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2020.2147", trust: 0.6, }, { db: "IVD", id: "4BDA61CA-BD50-4B09-A018-05EA35FF2332", trust: 0.2, }, { db: "IVD", id: "31AD87C7-757E-410A-89C6-906CC763B446", trust: 0.2, }, ], sources: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, { db: "ZDI", id: "ZDI-20-780", }, { db: "CNVD", id: "CNVD-2020-34372", }, { db: "JVNDB", id: "JVNDB-2020-008308", }, { db: "CNNVD", id: "CNNVD-202006-1209", }, { db: "NVD", id: "CVE-2020-12015", }, ], }, id: "VAR-202007-0208", iot: { _id: null, data: true, sources: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, { db: "CNVD", id: "CNVD-2020-34372", }, ], trust: 1.78927874, }, iot_taxonomy: { _id: null, data: [ { category: [ "ICS", ], sub_category: null, trust: 1, }, ], sources: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, { db: "CNVD", id: "CNVD-2020-34372", }, ], }, last_update_date: "2024-11-23T22:11:26.711000Z", patch: { _id: null, data: [ { title: "Top Page", trust: 0.8, url: "https://iconics.com/", }, { title: "Top Page", trust: 0.8, url: "https://www.mitsubishielectric.co.jp/", }, { title: "ICONICS has issued an update to correct this vulnerability.", trust: 0.7, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { title: "Patch for Mitsubishi Electric MC Works64 and MC Works32 code issue vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/222933", }, ], sources: [ { db: "ZDI", id: "ZDI-20-780", }, { db: "CNVD", id: "CNVD-2020-34372", }, { db: "JVNDB", id: "JVNDB-2020-008308", }, ], }, problemtype_data: { _id: null, data: [ { problemtype: "CWE-502", trust: 1.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-008308", }, { db: "NVD", id: "CVE-2020-12015", }, ], }, references: { _id: null, data: [ { trust: 2.8, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-02", }, { trust: 2.3, url: "https://www.us-cert.gov/ics/advisories/icsa-20-170-03", }, { trust: 1.4, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12015", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12015", }, { trust: 0.8, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02", }, { trust: 0.8, url: "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03", }, { trust: 0.8, url: "https://jvn.jp/vu/jvnvu95379131/", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/iconics-genesis32-genesis64-multiple-vulnerabilities-32668", }, { trust: 0.6, url: "https://www.zerodayinitiative.com/advisories/zdi-20-780/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2147/", }, ], sources: [ { db: "ZDI", id: "ZDI-20-780", }, { db: "CNVD", id: "CNVD-2020-34372", }, { db: "JVNDB", id: "JVNDB-2020-008308", }, { db: "CNNVD", id: "CNNVD-202006-1209", }, { db: "NVD", id: "CVE-2020-12015", }, ], }, sources: { _id: null, data: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", ident: null, }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", ident: null, }, { db: "ZDI", id: "ZDI-20-780", ident: null, }, { db: "CNVD", id: "CNVD-2020-34372", ident: null, }, { db: "JVNDB", id: "JVNDB-2020-008308", ident: null, }, { db: "CNNVD", id: "CNNVD-202006-1209", ident: null, }, { db: "NVD", id: "CVE-2020-12015", ident: null, }, ], }, sources_release_date: { _id: null, data: [ { date: "2020-06-18T00:00:00", db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", ident: null, }, { date: "2020-06-18T00:00:00", db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", ident: null, }, { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-780", ident: null, }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34372", ident: null, }, { date: "2020-09-08T00:00:00", db: "JVNDB", id: "JVNDB-2020-008308", ident: null, }, { date: "2020-06-18T00:00:00", db: "CNNVD", id: "CNNVD-202006-1209", ident: null, }, { date: "2020-07-16T22:15:11.493000", db: "NVD", id: "CVE-2020-12015", ident: null, }, ], }, sources_update_date: { _id: null, data: [ { date: "2020-06-30T00:00:00", db: "ZDI", id: "ZDI-20-780", ident: null, }, { date: "2020-06-23T00:00:00", db: "CNVD", id: "CNVD-2020-34372", ident: null, }, { date: "2020-09-08T00:00:00", db: "JVNDB", id: "JVNDB-2020-008308", ident: null, }, { date: "2020-07-23T00:00:00", db: "CNNVD", id: "CNNVD-202006-1209", ident: null, }, { date: "2024-11-21T04:59:07.153000", db: "NVD", id: "CVE-2020-12015", ident: null, }, ], }, threat_type: { _id: null, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202006-1209", }, ], trust: 0.6, }, title: { _id: null, data: "Unreliable data deserialization vulnerabilities in multiple MC products", sources: [ { db: "JVNDB", id: "JVNDB-2020-008308", }, ], trust: 0.8, }, type: { _id: null, data: "Code problem", sources: [ { db: "IVD", id: "4bda61ca-bd50-4b09-a018-05ea35ff2332", }, { db: "IVD", id: "31ad87c7-757e-410a-89c6-906cc763b446", }, { db: "CNNVD", id: "CNNVD-202006-1209", }, ], trust: 1, }, }