128 matches found
CVE-2021-27426
CVE-2021-27426 affects GE UR family UR IEDs; prior to firmware 8.1x with Basic security, the device does not allow disabling Factory Mode, enabling servicing by factory users. Root cause is an insecure default variable initialization (CWE-453). Impact per sources includes potential bypass of acce...
CVE-2021-27426 GE UR family insecure default variable initialization
GE UR IED firmware versions prior to version 8.1x with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user...
CVE-2021-27430 GE UR family hardcoded credentials
GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR...
CVE-2021-27430
GE UR bootloader binary versions 7.00–7.02 include unused hardcoded credentials. With physical access to the UR Intelligent Electronic Device, an attacker can interrupt the boot sequence by rebooting the UR. The issue is fixed by upgrading UR firmware to 8.10 or newer (GE publication GES-2021-004...
CVE-2021-27430 GE UR family hardcoded credentials
GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR...
CVE-2021-27424 GE UR family exposure of sensitive information to an unauthorized actor
GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information...
CVE-2021-27428 GE UR family Unrestricted Upload of File with Dangerous Type
GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without...
CVE-2021-27428
CVE-2021-27428 affects GE UR family UR IED firmware prior to 8.1x, where the UR Setup (Enervista UR Setup) firmware upgrade flow does not enforce appropriate privileges, allowing an illegitimate user to upgrade firmware. The weakness centers on Unrestricted Upload of a Dangerous Type; the vulnera...
CVE-2021-27424 GE UR family exposure of sensitive information to an unauthorized actor
GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information...
CVE-2021-27428 GE UR family Unrestricted Upload of File with Dangerous Type
GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without...
CVE-2021-27424
GE UR family devices running firmware prior to 8.1x expose a Last-key pressed MODBUS register that can disclose unauthorized information. The issue affects UR firmware versions before 8.1x (web server, MODBUS memory map exposure as part of the communications guide) and is reflected in CVE-2021-27...
CVE-2021-27420 GE UR family input validation
GE UR firmware versions prior to version 8.1x web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported HTTP requests. When unresponsive, the web server is inaccessible. By...
CVE-2021-27420 GE UR family input validation
GE UR firmware versions prior to version 8.1x web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported HTTP requests. When unresponsive, the web server is inaccessible. By...
CVE-2021-27420
CVE-2021-27420 affects GE UR firmware prior to 8.1x, where the web server improperly handles unsupported HTTP verbs, causing the web server to become temporarily unresponsive though the relay remains functional. The vulnerability is documented across multiple connected sources (e.g., Nessus plugi...
CVE-2021-27418 GE UR family input validation
GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTM...
CVE-2021-27418 GE UR family input validation
GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTM...
CVE-2021-27418
GE UR firmware prior to 8.1x exposes a web interface with read‑only access that does not properly validate user input and fails to HTML-encode user-supplied strings, enabling cross‑site scripting (CVE-2021-27418). Red Hat, NVD/NIST, and ICS references corroborate a web server input‑validation wea...
PT-2022-9814 · Ge · Ge Ur
Name of the Vulnerable Software and Affected Versions: GE UR firmware versions prior to 8.1x Description: The issue allows sensitive information exposure without authentication. This occurs because the web server interface is supported over the HTTP protocol. Recommendations: For GE UR firmware...
ur-biowooeb.cirad.fr Cross Site Scripting vulnerability OBB-2150011
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:       a. verified the vulnerability and confirmed its existence;       b. notified the website operator about its existence...
CISA Warns of Security Flaws in GE Power Management Devices
The U.S. Cybersecurity & Infrastructure Security Agency CISA is warning of critical-severity security flaws in GE’s Universal Relay UR family of power management devices. GE’s UR devices are the “basis of simplified power management for the protection of critical assets,” according to the company...