Multiple vulnerabilities in Electrolink FM/DAB/TV Transmitter
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2024-3741 CVE-2024-22179 CVE-2024-22186 CVE-2024-21872 CVE-2024-21846 CVE-2024-1491 CVE-2024-3742 |
| CWE-ID | CWE-287 CWE-565 CWE-306 CWE-312 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
10W Compact DAB Transmitter Hardware solutions / Firmware 100W Compact DAB Transmitter Hardware solutions / Firmware 250W Compact DAB Transmitter Hardware solutions / Firmware 500W Medium DAB Transmitter Hardware solutions / Firmware 1kW Medium DAB Transmitter Hardware solutions / Firmware 2kW Medium DAB Transmitter Hardware solutions / Firmware 2.5kW High Power DAB Transmitter Hardware solutions / Firmware 3kW High Power DAB Transmitter Hardware solutions / Firmware 4kW High Power DAB Transmitter Hardware solutions / Firmware 5kW High Power DAB Transmitter Hardware solutions / Firmware 100W Compact FM Transmitter Hardware solutions / Firmware 500W Compact FM Transmitter Hardware solutions / Firmware 1kW Compact FM Transmitter Hardware solutions / Firmware 2kW Compact FM Transmitter Hardware solutions / Firmware 3kW Modular FM Transmitter Hardware solutions / Firmware 5kW Modular FM Transmitter Hardware solutions / Firmware 10kW Modular FM Transmitter Hardware solutions / Firmware 15kW Modular FM Transmitter Hardware solutions / Firmware 20kW Modular FM Transmitter Hardware solutions / Firmware 30kW Modular FM Transmitter Hardware solutions / Firmware 15W - 40kW Digital FM Transmitter Hardware solutions / Firmware BI VHF TV Transmitter Hardware solutions / Firmware BIII VHF TV Transmitter Hardware solutions / Firmware 10W - 5kW UHF TV Transmitter Hardware solutions / Firmware |
| Vendor | Electrolink |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU88755
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-3741
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an authentication bypass in the login cookie. A remote attacker can set an arbitrary value except "NO" to the login cookie and have full system access.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Authentication
EUVDB-ID: #VU88756
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-22179
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an unauthenticated parameter manipulation. A remote attacker can set the credentials to blank giving them access to the admin panel.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reliance on Cookies without Validation and Integrity Checking
EUVDB-ID: #VU88758
Risk: Medium
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-22186
CWE-ID:
CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to reliance on cookies without validation and integrity checking. A remote user can poison the cookie to become administrator.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Reliance on Cookies without Validation and Integrity Checking
EUVDB-ID: #VU88760
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-21872
CWE-ID:
CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to reliance on cookies without validation and integrity checking. A remote attacker can bypass authentication and modify the cookie to reveal hidden pages.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Missing Authentication for Critical Function
EUVDB-ID: #VU88761
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-21846
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a dneial of service (DoS) attack.
The vulnerability exists due to a missing authentication check. A remote attacker can send a specially crafted GET request and cause a denial of service condition on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Missing Authentication for Critical Function
EUVDB-ID: #VU88762
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-1491
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. A remote attacker can overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cleartext storage of sensitive information
EUVDB-ID: #VU88763
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2024-3742
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to cleartext storage of sensitive information. A remote attacker can obtain user credentials.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions10W Compact DAB Transmitter: All versions
100W Compact DAB Transmitter: All versions
250W Compact DAB Transmitter: All versions
500W Medium DAB Transmitter: All versions
1kW Medium DAB Transmitter: All versions
2kW Medium DAB Transmitter: All versions
2.5kW High Power DAB Transmitter: All versions
3kW High Power DAB Transmitter: All versions
4kW High Power DAB Transmitter: All versions
5kW High Power DAB Transmitter: All versions
100W Compact FM Transmitter: All versions
500W Compact FM Transmitter: All versions
1kW Compact FM Transmitter: All versions
2kW Compact FM Transmitter: All versions
3kW Modular FM Transmitter: All versions
5kW Modular FM Transmitter: All versions
10kW Modular FM Transmitter: All versions
15kW Modular FM Transmitter: All versions
20kW Modular FM Transmitter: All versions
30kW Modular FM Transmitter: All versions
15W - 40kW Digital FM Transmitter: All versions
BI VHF TV Transmitter: All versions
BIII VHF TV Transmitter: All versions
10W - 5kW UHF TV Transmitter: All versions
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
