SB2021100607 - Multiple vulnerabilities in Moxa MXview Network Management Software
Published: October 6, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2021-38452)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and create or overwrite critical files.
2) Use of Hard-coded Password (CVE-ID: CVE-2021-38456)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the software contains a hard-coded password. A remote attacker can gain access through accounts using default passwords.
3) Unprotected Transport of Credentials (CVE-ID: CVE-2021-38460)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to password leakage. A remote attacker can obtain credentials through unprotected transport.
4) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2021-38458)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper neutralization of special elements. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
5) Improper access control (CVE-ID: CVE-2021-38454)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected product has a misconfigured service that allows remote connections to internal communication channels. A remote attacker can bypass implemented security restrictions and interact and use MQTT.
Remediation
Install update from vendor's website.