CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Moxa : Security Vulnerabilities Published In 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-6565 79 XSS 2019-03-05 2019-10-09
4.3
None Remote Medium Not required None Partial None
Moxa IKS and EDS fails to properly validate user input, giving unauthenticated and authenticated attackers the ability to perform XSS attacks, which may be used to send a malicious script.
2 CVE-2019-6563 200 +Info 2019-03-05 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator's password, which could lead to a full compromise of the device.
3 CVE-2019-6561 352 CSRF 2019-03-05 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery has been identified in Moxa IKS and EDS, which may allow for the execution of unauthorized actions on the device.
4 CVE-2019-6559 400 DoS 2019-03-05 2019-10-09
4.0
None Remote Low Single system None None Partial
Moxa IKS and EDS allow remote authenticated users to cause a denial of service via a specially crafted packet, which may cause the switch to crash.
5 CVE-2019-6557 119 Exec Code Overflow 2019-03-05 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Several buffer overflow vulnerabilities have been identified in Moxa IKS and EDS, which may allow remote code execution.
6 CVE-2019-6526 255 2019-04-15 2019-10-09
5.0
None Remote Low Not required Partial None None
Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A series Version 3.8 and prior use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password.
7 CVE-2019-6524 287 2019-03-05 2019-10-09
5.0
None Remote Low Not required Partial None None
Moxa IKS and EDS do not implement sufficient measures to prevent multiple failed authentication attempts, which may allow an attacker to discover passwords via brute force attack.
8 CVE-2019-6522 125 2019-03-05 2019-10-09
8.5
None Remote Low Not required Partial None Complete
Moxa IKS and EDS fails to properly check array bounds which may allow an attacker to read device memory on arbitrary addresses, and may allow an attacker to retrieve sensitive data or cause device reboot.
9 CVE-2019-6520 284 2019-03-05 2019-10-09
5.0
None Remote Low Not required None Partial None
Moxa IKS and EDS does not properly check authority on server side, which results in a read-only user being able to perform arbitrary configuration changes.
10 CVE-2019-6518 200 +Info 2019-03-05 2019-10-09
5.0
None Remote Low Not required Partial None None
Moxa IKS and EDS store plaintext passwords, which may allow sensitive information to be read by someone with access to the device.
11 CVE-2018-11427 352 CSRF 2019-07-03 2019-07-10
6.8
None Remote Medium Not required Partial Partial Partial
CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.
12 CVE-2018-11426 287 Bypass 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
A weak Cookie parameter is used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. An attacker can brute force parameters required to bypass authentication and access the web interface to use all its functions except for password change.
13 CVE-2018-11425 119 Overflow Mem. Corr. 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
Memory corruption issue was discovered in Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11424.
14 CVE-2018-11424 476 Mem. Corr. 2019-07-03 2019-07-10
7.8
None Remote Low Not required None None Complete
There is Memory corruption in the web interface of Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11425.
15 CVE-2018-11423 119 Overflow Mem. Corr. 2019-07-03 2019-07-10
7.8
None Remote Low Not required None None Complete
There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, different vulnerability than CVE-2018-11420.
16 CVE-2018-11422 284 Exec Code 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. Any commands (including device reboot, configuration download or upload, or firmware upgrade) are accepted and executed by the device without authentication.
17 CVE-2018-11421 200 +Info 2019-07-03 2019-07-10
5.0
None Remote Low Not required Partial None None
Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. The protocol is vulnerable to remote unauthenticated disclosure of sensitive information, including the administrator's password. Under certain conditions, it's also possible to retrieve additional information, such as content of HTTP requests to the device, or the previously used password, due to memory leakages.
18 CVE-2018-11420 400 Mem. Corr. 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 17042015 and prio,r a different vulnerability than CVE-2018-11423.
19 CVE-2018-10703 119 Exec Code Overflow 2019-06-07 2019-06-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_serverip" is susceptible to buffer overflow. By crafting a packet that contains a string of 480 characters, it is possible for an attacker to execute the attack.
20 CVE-2018-10702 77 Exec Code 2019-06-07 2019-06-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
21 CVE-2018-10701 119 Exec Code Overflow 2019-06-07 2019-06-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
22 CVE-2018-10700 79 XSS 2019-06-07 2019-06-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
23 CVE-2018-10699 77 Exec Code 2019-06-07 2019-06-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
24 CVE-2018-10698 255 2019-06-07 2019-06-10
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
25 CVE-2018-10697 77 Exec Code 2019-06-07 2019-06-10
9.3
None Remote Medium Not required Complete Complete Complete
An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
26 CVE-2018-10696 352 CSRF 2019-06-07 2019-06-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
27 CVE-2018-10695 119 Exec Code Overflow 2019-06-07 2019-06-11
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
28 CVE-2018-10694 255 2019-06-07 2019-06-10
4.3
None Remote Medium Not required Partial None None
An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
29 CVE-2018-10693 119 Exec Code Overflow 2019-06-07 2019-06-10
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
30 CVE-2018-10692 79 XSS 2019-06-07 2019-06-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
31 CVE-2018-10691 284 2019-06-07 2019-06-10
5.0
None Remote Low Not required Partial None None
An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization.
32 CVE-2018-10690 255 2019-06-07 2019-06-10
4.3
None Remote Medium Not required Partial None None
An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
33 CVE-2015-6458 119 Exec Code Overflow 2019-03-21 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow condition that may crash or allow remote code execution. Moxa released SoftCMS version 1.4 on June 1, 2015, to address the vulnerability.
34 CVE-2015-6457 119 Exec Code Overflow 2019-03-21 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow condition that may crash or allow remote code execution. Moxa released SoftCMS version 1.4 on June 1, 2015, to address the vulnerability.
Total number of vulnerabilities : 34   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.