Rigoblock

**Name of the Vulnerable Software and Affected Versions** CODESYS products (affected versions not specified) **Description** The issue allows access to internal files in the working directory, such as firmware files of the PLC, through the file download and upload function. This is possible if no level 1 password is configured on the controller or if a remote attacker has previously successfully authenticated to the controller. A successful attack may lead to a denial of service, change of local files, or drain of confidential information. User interaction is not required. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RigoBlock Dragos through 2022-02-17 **Description** The issue is related to the lack of the `onlyOwner` modifier for `setMultipleAllowances`, which enables token manipulation. This has been exploited in the wild in February 2022. A major protocol upgrade is required to remediate the issue. **Recommendations** For RigoBlock Dragos through 2022-02-17, consider disabling the `setMultipleAllowances` function until a major protocol upgrade occurs to prevent token manipulation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.