SB2024092526 - Multiple vulnerabilities in Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024092526

SB2024092526 - Multiple vulnerabilities in Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE

Published: September 25, 2024 Updated: October 25, 2024

Security Bulletin ID SB2024092526
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 67% Medium 17% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Command Injection (CVE-ID: CVE-2024-45066)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the ProGauge MAGLINK LX CONSOLE IP sub-menu. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Command Injection (CVE-ID: CVE-2024-43693)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Improper privilege management (CVE-ID: CVE-2024-45373)

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper privilege management. A remote user can escalate privileges.


4) Use of Hard-coded Password (CVE-ID: CVE-2024-43423)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use a hard-coded password in the web application for ProGauge MAGLINK LX4 CONSOLE. A remote attacker can gain access to administrative-level user account.


5) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2024-43692)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the authentication bypass using an alternate path or channel. A remote attacker can directly request the ProGauge MAGLINK LX CONSOLE resource sub page with full privileges.


6) Cross-site scripting (CVE-ID: CVE-2024-41725)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the ProGauge MAGLINK LX CONSOLE. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References