Moxa AWK-3131A Series Industrial AP/Bridge/Client Improper Neutralization of Special Elements Used in an OS Command (CVE-2019-5141)

An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iwserverip parameter can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can...

Moxa AWK-3121 Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2018-10701)

An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter iwfilename is susceptible to...

Moxa AWK-3121 Improper Neutralization of Special Elements Used in a Command (CVE-2018-10702)

An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter iwfilename is susceptible to...

Moxa AWK-3131A Web Application onekey Information Disclosure (CVE-2016-8727)

An exploitable information disclosure vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point. Retrieving a series of URLs without authentication can reveal sensitive configuration and system information to an attacker. This plugin only works with...

Moxa Web Application Nonce Reuse Vulnerability (CVE-2016-8712)

An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. This plugin...

Moxa AWK-3121 Cleartext Transmission of Sensitive Information (CVE-2018-10694)

An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between t...

Moxa AWK-3121 Sensitive Cookie Without Httponly Flag (CVE-2018-10692)

An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie Password508 does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. This plugin only works with Tenable.ot. Please visit...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Stack-Based Buffer Overflow (CVE-2019-5153)

An exploitable remote code execution vulnerability exists in the iwwebs configuration parsing functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause an overflow of an error message buffer, resulting in remote code execution. An attacker can send...

Moxa AWK-3131A serviceAgent Information Disclosure (CVE-2016-8724)

An exploitable information disclosure vulnerability exists in the serviceAgent functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted TCP query will allow an attacker to retrieve potentially sensitive information. This plugin only works with Tenable.ot...

Moxa AWK-3121 Cleartext Transmission of Sensitive Information (CVE-2018-10690)

An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such...

Moxa AWK-3131A web_runScript Header Manipulation Denial of Service (CVE-2016-8726)

An exploitable null pointer dereference vulnerability exists in the Web Application /forms/webrunScript iwfilename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTTP POST request with a blank line in the header will cause a segmentation fault in the web server. Th...

Moxa AWK-3131A HTTP GET Denial of Service (CVE-2016-8723)

An exploitable null pointer dereference exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. Any HTTP GET request not preceded by an '/' will cause a segmentation fault in the web server. An attacker can send any of a multitude of potentially...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Improper Access Control (CVE-2019-5162)

An exploitable improper access control vulnerability exists in the iwwebs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as...

Moxa AWK-3131A Series Industrial AP/Bridge/Client Use of Hard-Coded Cryptographic Key (CVE-2019-5137)

The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more...

Moxa AWK-3121 Cross-Site Request Forgery (CVE-2018-10696)

An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her...

The vulnerability of the copyvar function in the UNIX utility command-line tool BusyBox allows a hacker to gain access to confidential data, compromise its integrity, and cause service failures.

The vulnerability of the copyvar function in the UNIX utility command-line tool BusyBox is related to incorrect handling of the created awk template. Exploiting this vulnerability allows a remote attacker to gain access to confidential data, compromise its integrity, and cause service failures...

Siemens SCALANCE XCM332 Use After Free (CVE-2022-30065)

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVE...

K15303: PHP vulnerability CVE-2013-7345

Security Advisory Description The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service CPU consumption via a crafted ASCII file tha...

SUSE CVE-2014-3538

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service CPU consumption via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an...

SUSE CVE-2021-42379

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nextinputfile function...