Maxim Rupp

**Name of the Vulnerable Software and Affected Versions** Kingspan TMS300 CS versions (affected versions not specified) **Description** The issue is due to the lack of adequately implemented access-control rules, allowing an attacker to view and modify application settings without authenticating by accessing a specific uniform resource locator (URL) on the webserver. This can be done by accessing certain URLs, which can be set through the web interface or using brute force. The attacker can change various settings, including those related to sensors, tank information, and alarm threshold values, potentially leading to an emergency situation. The vulnerable product is used worldwide in the water supply and drainage sector. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue allows an attacker with network access to the device's web interface to circumvent the authentication scheme by using a specific credential string, potentially performing administrative operations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tecson Tankspion (affected versions not specified) GOKs SmartBox 4 (affected versions not specified) **Description** The affected application does not properly restrict access to an endpoint responsible for saving settings, allowing an unauthenticated user with limited access rights to change application settings without authenticating. This is due to the lack of adequately implemented access-control rules, which can be exploited by accessing a specific uniform resource locator (URL) on the web server, violating the originally laid ACL rules. **Recommendations** For Tecson Tankspion, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For GOKs SmartBox 4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WAGO PLCs versions up to FW07 Description: This issue allows an attacker with access to the WBM to read and write device settings-parameters by sending specifically constructed requests without authentication. Recommendations: For versions up to FW07, consider restricting access to the WBM to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ICX35-HWC-A versions 1.9.62 and prior ICX35-HWC-E versions 1.9.62 and prior **Description** The issue allows the password to be changed without requiring the current password, potentially enabling unauthorized changes by users or external processes. This is due to the lack of a requirement to enter the current password when changing it on the module webpage. **Recommendations** For versions 1.9.62 and prior of ICX35-HWC-A and ICX35-HWC-E, consider implementing a workaround that requires the current password to be entered before changing it, or restrict access to the password change functionality until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) versions V2.0.0 and above Endress+Hauser Memograph M (Neutral/Private Label) (RSG45, ORSG45) versions V2.0.0 and above **Description** The issue concerns exposure of sensitive information to unauthorized actors. The firmware release utilizes a dynamic token for each request submitted to the server, complicating repeating requests and analysis. However, it was discovered that there is an issue with the access-control matrix on the server-side, allowing a user with low rights to access information from endpoints that should not be available to them. **Recommendations** For Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) versions V2.0.0 and above: As a temporary workaround, consider restricting access to sensitive endpoints until a patch is available. For Endress+Hauser Memograph M (Neutral/Private Label) (RSG45, ORSG45) versions V2.0.0 and above: As a temporary workaround, consider restricting access to sensitive endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) versions prior to V2.0.0 **Description** The affected device has a web-based user interface with a role-based access system, where users with different roles have different write and read privileges. The access system is based on dynamic "tokens". The issue arises because user sessions are not closed correctly, allowing a user with fewer rights to be assigned higher rights when they log on. **Recommendations** For versions prior to V2.0.0, update the firmware to version V2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the web-based user interface or implementing additional authentication measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bender COMTRAXX versions prior to 4.2.0 COM465IP versions prior to 4.2.0 COM465DP versions prior to 4.2.0 COM465ID versions prior to 4.2.0 CP700 versions prior to 4.2.0 CP907 versions prior to 4.2.0 CP915 versions prior to 4.2.0 **Description** The issue concerns inadequate user authorization validation in certain routes of the system, allowing unauthorized access to configuration data. A user with knowledge of the system's routes can read and write configuration data without proper authorization. **Recommendations** For versions prior to 4.2.0, update to version 4.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive routes and configuration data until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WAGO 750-8XX series versions FW03 and prior versions WAGO 750-362 versions FW03 and prior versions WAGO 750-363 versions FW03 and prior versions WAGO 750-823 versions FW03 and prior versions WAGO 750-832/xxx-xxx versions FW03 and prior versions WAGO 750-862 versions FW03 and prior versions WAGO 750-891 versions FW03 and prior versions WAGO 750-890/xxx-xxx versions FW03 and prior versions **Description** The issue is related to an Improper Authentication vulnerability in the WAGO 750-8XX series, which allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication. This can be done remotely. **Recommendations** For WAGO 750-8XX series versions FW03 and prior versions, consider disabling remote access until a patch is available. For WAGO 750-362 versions FW03 and prior versions, restrict access to the device settings to minimize the risk of exploitation. For WAGO 750-363 versions FW03 and prior versions, avoid using the device until a fixed version is released. For WAGO 750-823 versions FW03 and prior versions, limit the ability to send specifically constructed requests to the device. For WAGO 750-832/xxx-xxx versions FW03 and prior versions, consider implementing additional authentication measures. For WAGO 750-862 versions FW03 and prior versions, restrict access to the device settings. For WAGO 750-891 versions FW03 and prior versions, avoid using the device until a fixed version is released. For WAGO 750-890/xxx-xxx versions FW03 and prior versions, limit the ability to send specifically constructed requests to the device. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WAGO 750-8XX series versions FW07 and prior versions WAGO 750-852 versions FW07 and prior versions WAGO 750-880/xxx-xxx versions FW07 and prior versions WAGO 750-881 versions FW07 and prior versions WAGO 750-831/xxx-xxx versions FW07 and prior versions WAGO 750-882 versions FW07 and prior versions WAGO 750-885/xxx-xxx versions FW07 and prior versions WAGO 750-889 versions FW07 and prior versions **Description** The issue is related to improper authentication in the WAGO ethernet controller, allowing a remote attacker to change some special parameters without authentication. This can be exploited by an attacker to modify certain settings. **Recommendations** For WAGO 750-8XX series versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-852 versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-880/xxx-xxx versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-881 versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-831/xxx-xxx versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-882 versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-885/xxx-xxx versions FW07 and prior versions, update to a version above FW07 to resolve the issue. For WAGO 750-889 versions FW07 and prior versions, update to a version above FW07 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MIELE XGW 3000 ZigBee Gateway versions prior to 2.4.0 **Description** The issue concerns the Password Change Function, which does not require knowledge of the old password. This can be exploited, potentially allowing unauthorized access. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Password Change Function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MIELE XGW 3000 ZigBee Gateway versions prior to 2.4.0 **Description** The issue allows a malicious website visited by an authenticated admin user or a malicious mail to make arbitrary changes in the "admin panel" because there is no CSRF protection. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel to minimize the risk of exploitation. Avoid using the admin panel from untrusted networks or devices until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: OZW672 versions prior to V10.00 OZW772 versions prior to V10.00 Description: A security issue has been identified where vulnerable versions of OZW Web Server use predictable path names for project files created by authenticated users through the export function. This allows a remote attacker to download project files without authentication by accessing a specific uniform resource locator on the web server. The issue can be exploited by an unauthenticated attacker with network access, without requiring any user interaction. Successful exploitation compromises the confidentiality of the targeted system. Recommendations: For OZW672 versions prior to V10.00, update to version V10.00 or later to resolve the issue. For OZW772 versions prior to V10.00, update to version V10.00 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Detcon Sitewatch Gateway versions without cellular **Description** An issue exists where an attacker can edit settings on the device using a specially crafted URL. **Recommendations** For Detcon Sitewatch Gateway versions without cellular, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHOENIX CONTACT RAD-80211-XD and RAD-80211-XD/HP-BUS devices (affected versions not specified) **Description** An issue was discovered that allows command injection to occur in the WebHMI component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** M2M ETHERNET versions 2.22 and prior ETH-FW versions 1.01 and prior **Description** The issue allows an attacker to upload a malicious language file by bypassing the user authentication mechanism. **Recommendations** For M2M ETHERNET versions 2.22 and prior, update to a version later than 2.22 to resolve the issue. For ETH-FW versions 1.01 and prior, update to a version later than 1.01 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CMS-770 versions 1.7.1 and prior **Description** The issue allows an attacker to bypass the user authentication mechanism, enabling them to read sensitive configuration files. **Recommendations** For CMS-770 versions 1.7.1 and prior, update to a version later than 1.7.1 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Ice Qube Thermal Management Center versions prior to 4.13 Description: The issue concerns the storage of passwords in plaintext within a file that can be accessed without authentication, posing a significant security risk. Recommendations: For versions prior to 4.13, update to version 4.13 or later to resolve the issue of plaintext password storage.

**Name of the Vulnerable Software and Affected Versions** TotalAlert Web Application in BeaconMedaes Scroll Medical Air Systems versions prior to 4107600010.23 **Description** The issue allows an attacker with network access to the integrated web server to retrieve default or user-defined credentials. These credentials are stored and transmitted in an insecure manner. **Recommendations** For versions prior to 4107600010.23, update to version 4107600010.23 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ProMinent MultiFLEX M10a Controller (affected versions not specified) **Description** A security issue was found in the ProMinent MultiFLEX M10a Controller web interface, where it is possible to change a user's password without knowing the original password. This could allow an authenticated attacker to change a user's password, enabling future access and possible configuration changes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.