| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. |
| An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directories intended for internal testing were not covered by the whitelist and are accessible without authentication. An unauthenticated attacker could place a manipulated parameter file that becomes active after a reboot, allowing modification of critical device settings, including network configuration and application parameters. |
| An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment. |
| An attacker may exploit the use of weak CBC-based cipher suites in the device’s SSH service to potentially observe or manipulate parts of the encrypted SSH communication, if they are able to intercept or interact with the network traffic. |
| An attacker may exploit the use of outdated and weak MAC algorithms in the device’s SSH service to potentially compromise the integrity of the SSH session, allowing manipulation of transmitted data if the attacker can interact with the network traffic. |
| A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system. |
| Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| Exposure of Sensitive Information to an Unauthorized Actor in the SICK ICR890-4 could allow an unauthenticated remote attacker to retrieve sensitive information about the system. |
