782 matches found
Privilege escalation
An exploitable privilege escalation vulnerability exists in the iwconsole functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send command...
Format string
An exploitable format string vulnerability exists in the iwconsole coniowritestr functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted time server entry can cause an overflow of the time server buffer, resulting in remote code execution. An attacker can send commands whil...
CVE-2019-5139
An exploitable use of hard-coded credentials vulnerability exists in multiple iw utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts...
CVE-2019-5139
CVE-2019-5139 affects Moxa AWK-3131A (firmware 1.13). A hard-coded credential (moxaiwroot) is used in multiple iw_* utilities, enabling creation of custom diagnostic scripts via the device’s diagnostic path. Root cause: undocumented encryption/password usage within iw_* components. Impact: local ...
CVE-2019-5143
An exploitable format string vulnerability exists in the iwconsole coniowritestr functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted time server entry can cause an overflow of the time server buffer, resulting in remote code execution. An attacker can send commands whil...
CVE-2019-5143
The CVE-2019-5143 issue affects Moxa AWK-3131A firmware v1.13. It is a classic buffer overflow (CWE-120) in iw_console conio_writestr that occurs when a time-server entry is crafted; this can overflow the time server buffer and enable remote code execution. Exploitation requires authentication as...
CVE-2019-5148
The CVE-2019-5148 issue affects the Moxa AWK-3131A (firmware v1.13) in the ServiceAgent component. A crafted, unauthenticated network packet can trigger an integer underflow that leads to a large memcpy, causing out-of-bounds memory access and a denial-of-service crash. TALOS and Red Hat/CISA ref...
CVE-2019-5148
An exploitable denial-of-service vulnerability exists in ServiceAgent functionality of the Moxa AWK-3131A, firmware version 1.13. A specially crafted packet can cause an integer underflow, triggering a large memcpy that will access unmapped or out-of-bounds memory. An attacker can send this packe...
CVE-2019-5153
An exploitable remote code execution vulnerability exists in the iwwebs configuration parsing functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause an overflow of an error message buffer, resulting in remote code execution. An attacker can send...
CVE-2019-5153
The CVE-2019-5153 issue affects Moxa AWK-3131A firmware 1.13 in the iw_webs configuration parsing, where a crafted username can overflow an error-buffer and enable remote code execution. The vulnerability requires authentication as a low-privilege user and results in full device compromise per Ta...
CVE-2019-5162
An exploitable improper access control vulnerability exists in the iwwebs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as...
CVE-2019-5162
The CVE-2019-5162 issue affects Moxa AWK-3131A firmware v1.13 (iw_webs account settings). A crafted username can overwrite an existing user password, allowing remote shell access as that user when authenticated as a low-privilege user. Talos reports this as an exploitable improper access control ...
CVE-2019-5137
The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13...
CVE-2019-5137
The Moxa AWK-3131A Series (firmware 1.13) ServiceAgent uses a hard-coded cryptographic key, enabling decryption of network traffic to/from the device. CVE-2019-5137 (CVSSv3 7.5) details the root cause and impact (confidentiality HIGH). A vendor patch is available; apply the security update from M...
CVE-2019-5138
An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker...
CVE-2019-5138
CVE-2019-5138 affects the Moxa AWK-3131A series (firmware v1.13) and is an OS command injection in the encrypted diagnostic script functionality. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed with root privileges, enabling remote control over the d...
CVE-2019-5136
CVE-2019-5136 affects Moxa AWK-3131A (firmware v1.13). The iw_console privilege-escalation flaw allows a low-privilege, authenticated user to craft a menu selection that escapes the restricted console and gains root access. CVSSv3 base score 8.8 (NETWORK, LOW attack complexity, Privileges Require...
CVE-2019-5136
An exploitable privilege escalation vulnerability exists in the iwconsole functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send command...
CVE-2019-5142
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker ca...
CVE-2019-5142
CVE-2019-5142 affects the Moxa AWK-3131A Series (firmware v1.13). The vulnerability is an OS command injection in the WAP hostname handling: a specially crafted entry to network configuration information can cause arbitrary system commands to execute, giving an attacker full control of the device...