CVE-2023-4202
published 2023-08-08CVE-2023-4202: Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.82%
52.6th percentile
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | eki-1521 | <= 1.21 | — |
| advantech | eki-1521_firmware | <= 1.21 | — |
| advantech | eki-1522 | <= 1.21 | — |
| advantech | eki-1522_firmware | <= 1.21 | — |
| advantech | eki-1524 | <= 1.21 | — |
| advantech | eki-1524_firmware | <= 1.21 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7cj7-3cq3-8fhp: Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1
ghsa_unreviewed·2023-08-08
CVE-2023-4202 [MEDIUM] CWE-79 GHSA-7cj7-3cq3-8fhp: Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.
Red Hat
webkitgtk: processing web content may lead to arbitrary code execution
vendor_redhat·2023-09-28·CVSS 8.8
CVE-2023-35074 [HIGH] webkitgtk: processing web content may lead to arbitrary code execution
webkitgtk: processing web content may lead to arbitrary code execution
The issue was addressed with improved memory handling. This issue is fixed in tvOS 17, Safari 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may lead to arbitrary code execution.
Statement: The webkitgtk versions as shipped with Red Hat Enterprise Linux 8 and 9 are not affected by this vulnerability. This flaw relies on webkitgtk's JIT to be enabled while this feature was previously disabled in Red Hat Enterprise Linux 8 and 9 by the following erratas:
Red Hat Enterprise Linux 8: https://access.redhat.com/errata/RHSA-2023:4202
Red Hat Enterprise Linux 9: https://access.redhat.com/errata/RHSA-2023:4201
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webki
Red Hat
webkitgtk: processing web content may lead to arbitrary code execution
vendor_redhat·2023-09-28·CVSS 8.8
CVE-2023-41074 [HIGH] webkitgtk: processing web content may lead to arbitrary code execution
webkitgtk: processing web content may lead to arbitrary code execution
The issue was addressed with improved checks. This issue is fixed in tvOS 17, Safari 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may lead to arbitrary code execution.
Statement: The webkitgtk versions as shipped with Red Hat Enterprise Linux 8 and 9 are not affected by this vulnerability. This flaw relies on webkitgtk's JIT to be enabled while this feature was previously disabled in Red Hat Enterprise Linux 8 and 9 by the following erratas:
Red Hat Enterprise Linux 8: https://access.redhat.com/errata/RHSA-2023:4202
Red Hat Enterprise Linux 9: https://access.redhat.com/errata/RHSA-2023:4201
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webkitgtk3 (Re
CISA ICS
Advantech EKI-1524-CE series
cisa_ics·2023-09-26·CVSS 9.0
[CRITICAL] Advantech EKI-1524-CE series
ICS Advisory
##
Advantech EKI-1524-CE series
Release DateSeptember 26, 2023
Alert CodeICSA-23-269-04
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 5.4
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Advantech
- Equipment: EKI-1524-CE, EKI-1522-CE, EKI-1521-CE
- Vulnerabilities: Cross-Site Scripting
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the session.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Advantech serial device servers are affected:
- EKI-1524-CE series: versions 1.24 and prior
- EKI-1522-CE series: versions 1.24 and prior
- EKI-1521-CE series: versions 1.24 and prior
## 3.2 Vulnerability Ove
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/174153/Advantech-EKI-1524-CE-EKI-1522-EKI-1521-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2023/Aug/13https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/http://packetstormsecurity.com/files/174153/Advantech-EKI-1524-CE-EKI-1522-EKI-1521-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2023/Aug/13https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/
2023-08-08
Published