cbcvebase.

Secheron Sepcos Control And Protection Relay Firmware Package vulnerabilities

7 known vulnerabilities affecting secheron/sepcos_control_and_protection_relay_firmware_package.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2022-1668P2CRITICALCVSS 9.8≥ All versions, < 1.23.212022-06-24
CVE-2022-1668 [CRITICAL] CWE-521 CVE-2022-1668: Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges o Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH.
nvd
CVE-2022-2105P3CRITICALCVSS 9.1≥ All versions, < 1.23.212022-06-24
CVE-2022-2105 [CRITICAL] CWE-841 CVE-2022-2105: Client-side JavaScript controls may be bypassed to change user credentials and permissions without a Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.
nvd
CVE-2022-2104P3CRITICALCVSS 9.8≥ All versions, < 1.23.212022-06-24
CVE-2022-2104 [CRITICAL] CWE-269 CVE-2022-2104: The www-data (Apache web server) account is configured to run sudo with no password for many command The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).
nvd
CVE-2022-2103P3CRITICALCVSS 9.1≥ All versions, < 1.23.212022-06-24
CVE-2022-2103 [CRITICAL] CWE-284 CVE-2022-2103: An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attack An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.
nvd
CVE-2022-2102P3HIGHCVSS 7.5≥ All versions, < 1.23.212022-06-24
CVE-2022-2102 [HIGH] CWE-841 CVE-2022-2102: Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker t Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed.
nvd
CVE-2022-1666P3MEDIUMCVSS 6.5≥ All versions, < 1.23.212022-06-24
CVE-2022-1666 [MEDIUM] CWE-522 CVE-2022-1666: The default password for the web application’s root user (the vendor’s private account) was weak and The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.
nvd
CVE-2022-1667P3HIGHCVSS 7.5≥ All versions, < 1.23.212022-06-24
CVE-2022-1667 [HIGH] CWE-841 CVE-2022-1667: Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script
nvd
Secheron Sepcos Control And Protection Relay Firmware Package vulnerabilities | cvebase