64 matches found
CVE-2020-9306
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account...
CVE-2020-12878
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory...
CVE-2020-12878
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory...
CVE-2020-9306
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account...
Directory traversal
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory...
Hardcoded credentials
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account...
CVE-2020-9306
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account...
CVE-2020-9306
CVE-2020-9306 affects Digi ConnectPort X2e devices (SolarCity/Tesla branding) with hardcoded credentials stored in a .pyc-compiled file used at boot. FireEye analysis shows password_manager.pyc in /WEB/python/ contains five plaintext credentials for the python system user, enabling web and SSH ac...
CVE-2020-12878
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory...
CVE-2020-12878
CVE-2020-12878 affects Digi ConnectPort X2e devices (pre-3.2.30.6). The issue enables local privilege escalation from the python user to root via a symlink attack involving /WEB/python/.ssh and /etc/init.d/S50dropbear.sh. Exploitation, as described, follows: (1) authenticate as the python user, (...
Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part One)
In 2019, Mandiant’s Red Team discovered a series of vulnerabilities present within Digi International’s ConnectPort X2e device, which allows for remote code execution as a privileged user. Specifically, Mandiant’s research focused on SolarCity’s now owned by Tesla rebranded ConnectPort X2e device...
Digi ConnectPort Backlink Vulnerability
Digi ConnectPort is a server from Digi ConnectPort Digi USA, Inc. It provides wireless communication. A security vulnerability exists in Digi ConnectPort X2e before 3.2.30.6, which allows an attacker to exploit the vulnerability to escalate the privileges of a python user to root via a symbolic...
CVE-2020-6973
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition...
CVE-2020-6973
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition...
Cross site scripting
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition...
CVE-2020-6975
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application...
CVE-2020-6975
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application...
Design/Logic Flaw
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application...
CVE-2020-6973
Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 82002228K 08/09/2018, bios Version 1.2. Multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition...
CVE-2020-6973
CVE-2020-6973 affects Digi International ConnectPort LTS 32 MEI with firmware 1.4.3 (bios 1.2). The advisory documents multiple cross-site scripting vulnerabilities that could lead to a denial-of-service condition. Affected product: ConnectPort LTS 32 MEI (firmware 1.4.3). Root cause: improper ha...