Multiple vulnerabilities in Mitsubishi Electric EcoWebServerIII
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2016-10735 CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2019-8331 CVE-2020-11022 CVE-2020-11023 CVE-2017-18214 CVE-2020-7746 |
| CWE-ID | CWE-79 CWE-400 CWE-20 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. |
| Vulnerable software Subscribe |
EcoWebServerIII MES3-255C-DM-CN Server applications / Other server solutions EcoWebServerIII MES3-255C-CN Server applications / Other server solutions EcoWebServerIII MES3-255C-DM-EN Server applications / Other server solutions EcoWebServerIII MES3-255C-EN Server applications / Other server solutions |
| Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU21707
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-10735
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "data-target" attribute. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Cross-site scripting
EUVDB-ID: #VU13901
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-14040
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the data-parent attribute of the collapse plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Cross-site scripting
EUVDB-ID: #VU13902
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-14042
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the data-container property of the tooltip plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Cross-site scripting
EUVDB-ID: #VU16956
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20676
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the tooltip data-viewport attribute due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU17694
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-8331
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site scripting
EUVDB-ID: #VU27052
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-11022
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Cross-site scripting
EUVDB-ID: #VU27519
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-11023
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Resource exhaustion
EUVDB-ID: #VU11300
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-18214
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to resource exhaustion. A remote attacker can submit a specially crafted data string and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU60879
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-7746
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Prototype Pollution in the "options" parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsEcoWebServerIII MES3-255C-DM-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-CN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-DM-EN: 3.0.0 - 3.3.0
EcoWebServerIII MES3-255C-EN: 3.0.0 - 3.3.0
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-055-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-029_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
