CVE-2024-25136
published 2024-03-26CVE-2024-25136: There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.62%
45.1th percentile
There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automationdirect | c-more_ea9_hmi_ea0-t7cl-r | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-pgmsw | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-rhmi | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t10cl | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t10wcl | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t12cl | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t15cl | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t15cl-r | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t6cl | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t7cl | <= 6.77 | — |
| automationdirect | c-more_ea9_hmi_ea9-t8cl | <= 6.77 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rv26-9qp5-5mh3: There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the con
ghsa_unreviewed·2024-03-27
CVE-2024-25136 [HIGH] CWE-22 GHSA-rv26-9qp5-5mh3: There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the con
There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
CISA ICS
Automation-Direct C-MORE EA9 HMI
cisa_ics·2024-03-26·CVSS 7.5
[HIGH] Automation-Direct C-MORE EA9 HMI
ICS Advisory
##
Automation-Direct C-MORE EA9 HMI
Release DateMarch 26, 2024
Alert CodeICSA-24-086-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: AutomationDirect
- Equipment: C-MORE EA9 HMI
- Vulnerabilities: Path Traversal, Stack-Based Buffer Overflow, Plaintext Storage of a Password
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to exploit a remote device and inject malicious code on the panel.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of C-MORE EA9 HMI, a display system used for interfacing with controllers, are affected:
- C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T7CL: Versi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-03-26
Published