Moxa Oncell G3150-Hspa-T Firmware vulnerabilities

CVE-2018-11422 [CRITICAL] CWE-319 CVE-2018-11422: Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration p Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. Any commands (including device reboot, configuration download or upload, or fir

CVE-2018-11421 [CRITICAL] CWE-319 CVE-2018-11421: Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring prot Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. The protocol is vulnerable to remote unauthenticated disclosure of sensitive infor

CVE-2018-11426 [CRITICAL] CWE-287 CVE-2018-11426: A weak Cookie parameter is used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 A weak Cookie parameter is used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. An attacker can brute force parameters required to bypass authentication and access the web interface to use all its functions except for password change.

CVE-2018-11420 [CRITICAL] CWE-787 CVE-2018-11420: There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 1 There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 17042015 and prio,r a different vulnerability than CVE-2018-11423.

CVE-2018-11423 [HIGH] CVE-2018-11423: There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 1710 There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, different vulnerability than CVE-2018-11420.

CVE-2018-11427 [HIGH] CWE-352 CVE-2018-11427: CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 1 CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.

CVE-2018-5455 [CRITICAL] CWE-565 CVE-2018-5455: A Reliance on Cookies without Validation and Integrity Checking issue was discovered in Moxa OnCell A Reliance on Cookies without Validation and Integrity Checking issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application allows a cookie parameter to consist of only digits, allowing an attacker to perform a brute force attack bypassing authentication and gaining access to device functions.

CVE-2018-5453 [HIGH] CWE-130 CVE-2018-5453: An Improper Handling of Length Parameter Inconsistency issue was discovered in Moxa OnCell G3100-HSP An Improper Handling of Length Parameter Inconsistency issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. An attacker may be able to edit the element of an HTTP request, causing the device to become unavailable.

CVE-2018-5449 [MEDIUM] CWE-476 CVE-2018-5449: A NULL Pointer Dereference issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 1 A NULL Pointer Dereference issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application does not check for a NULL value, allowing for an attacker to perform a denial of service attack.