Multiple vulnerabilities in Sielco PolyEco FM Transmitter
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2023-0897 CVE-2023-5754 CVE-2023-46661 CVE-2023-46662 CVE-2023-46663 CVE-2023-46664 CVE-2023-46665 |
| CWE-ID | CWE-384 CWE-307 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PolyEco1000 CPU Hardware solutions / Routers & switches, VoIP, GSM, etc PolyEco1000 FPGA Hardware solutions / Routers & switches, VoIP, GSM, etc PolyEco500 CPU Hardware solutions / Routers & switches, VoIP, GSM, etc PolyEco500: CPU FPGA Hardware solutions / Routers & switches, VoIP, GSM, etc PolyEco300 CPU Hardware solutions / Routers & switches, VoIP, GSM, etc PolyEco300 FPGA Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Sielco |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Session Fixation
EUVDB-ID: #VU82533
Risk: High
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-0897
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the cookie being vulnerable to a brute force attack, lack of SSL and the session being visible in requests. A remote attacker can perform a session hijacking attack.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Restriction of Excessive Authentication Attempts
EUVDB-ID: #VU82535
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-5754
CWE-ID:
CWE-307 - Improper Restriction of Excessive Authentication Attempts
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a weak set of default administrative credentials. A remote attacker can perform a brute-force attack and gain full control of the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU82536
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-46661
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can modify passwords in POST requests and gain unauthorized access to the application.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU82537
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-46662
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request to gain access to sensitive information.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU82538
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-46663
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the application interface. A remote attacker can gain access to sensitive information.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU82539
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-46664
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when the application provides direct access to objects based on user-supplied input. A remote attacker can bypass authorization and access resources behind protected pages.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU82540
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-46665
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can modify passwords in a POST request and gain unauthorized access to the application.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPolyEco1000 CPU: 1.9.3 - 2.0.6
PolyEco1000 FPGA: 10.19
PolyEco500 CPU: 1.7.0
PolyEco500: CPU FPGA: 10.16
PolyEco300 CPU: 2.0.0 - 2.0.2
PolyEco300 FPGA: 10.19
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
