Moxa AWK-3131A Web Application Cross-Site Request Forgery (CVE-2016-8718)

An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authenti...

Moxa AWK-3121 Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2018-10695)

An issue was discovered on Moxa AWK-3121 1.14 devices. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST...

Moxa AWK-3131A Web Application Cleartext Transmission of Password Vulnerability (CVE-2016-8716)

An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functionality of the Web Application transmits the password in cleartext. An attacker capable of intercepti...

Moxa AWK-3121 Improper Neutralization of Input During Web Page Generation (CVE-2018-10700)

An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter iwboarddeviceName is susceptible to this...

Moxa AWK-3131A Web Application Ping Command Injection (CVE-2016-8721)

An exploitable OS Command Injection vulnerability exists in the web application 'ping' functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Use of Hard-Coded Credentials (CVE-2019-5139)

An exploitable use of hard-coded credentials vulnerability exists in multiple iw utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts. This plugin only works with...

Moxa AWK-3131A Web Application Multiple Reflected Cross-site Scripting (CVE-2016-8719)

An exploitable reflected Cross-Site Scripting vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. Specially crafted input, in multiple parameters, can cause a malicious scripts to be executed by a victim. This plugin only works...

Moxa AWK-3131A Web Application asqc.asp Information Disclosure (CVE-2016-8722)

An exploitable Information Disclosure vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. Retrieving a specific URL without authentication can reveal sensitive information to an attacker. This plugin only work...

Moxa AWK-3121 Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2018-10693)

An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter srvName is...

Moxa AWK-3121 Cleartext Transmission of Sensitive Information (CVE-2018-10698)

An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET...

Moxa AWK-3131A Web Application systemlog.log Information Disclosure (CVE-2016-8725)

An exploitable information disclosure vulnerability exists in the Web Application functionality of the Moxa AWK-3131A wireless access point running firmware 1.1. Retrieving a specific URL without authentication can reveal sensitive information to an attacker. This plugin only works with Tenable.o...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Authentication Bypass Using an Alternate Path or Channel (CVE-2019-5165)

An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attack...

Moxa AWK-3121 Improper Access Control (CVE-2018-10691)

An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log the system log. However, the same functionality allows an attacker to download the file without any authentication or authorization. This plugin only works with Tenable.ot. Plea...

Moxa AWK-3131A Hard-coded Administrator Credentials (CVE-2016-8717)

An exploitable Use of Hard-coded Credentials vulnerability exists in the Moxa AWK-3131A Wireless Access Point running firmware 1.1. The device operating system contains an undocumented, privileged root account with hard-coded credentials, giving attackers full control of affected devices. This...

Moxa OnCell Arbitrary OS Commands Execution (CVE-2016-8363)

An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Improper Access Control (CVE-2019-5136)

An exploitable privilege escalation vulnerability exists in the iwconsole functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send command...

Moxa AWK-3121 Improper Neutralization of Special Elements Used in a Command (CVE-2018-10697)

An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST paramet...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Improper Neutralization of Special Elements Used in an OS Command (CVE-2019-5138)

An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker...

Moxa AWK-3121 Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2018-10703)

An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter iwserverip is susceptible to...

Moxa AWK-3121 Improper Neutralization of Special Elements Used in a Command (CVE-2018-10699)

An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device...