43 matches found
CVE-2022-22519
The CVE-2022-22519 entry describes a remote, unauthenticated attacker able to send crafted HTTP/HTTPS requests that trigger a buffer over-read, crashing the CODESYS Control runtime system webserver. This affects the CODESYS Control runtime/webserver and related components; CVSSv3.1 base score 7.5...
CVE-2019-9010
The CVE-2019-9010 issue affects 3S-Smart CODESYS V3 products containing the CmpGateway component, across versions prior to 3.5.14.20 (e.g., BeagleBone, emPC-A/iMX6, IOT2000, Linux, PFC100/200, Raspberry Pi, V3 Runtime Toolkit, Gateway V3, and V3 Development System). Root cause: the CODESYS Gatewa...
CVE-2019-9012
The CVE-2019-9012 entry describes an issue in 3S-Smart CODESYS V3 products where a crafted communication request may cause uncontrolled memory allocations, enabling a denial-of-service condition. Affected are all variants containing the CmpGateway component in versions prior to 3.5.14.20 (includi...
CVE-2022-22515
CVE-2022-22515 affects the CODESYS Control runtime system. A remote, authenticated attacker could use the control program to read and modify the affected product’s configuration files. The available documents describe the impact (unauthorized read/write of config files) and the attack path but do...
CVE-2019-9013
CVE-2019-9013 affects 3S-Smart CODESYS V3 products containing CmpUserMgr; the root cause is that credentials may be transported without TLS protection, enabling credential exposure. Affected are multiple CODESYS V3 runtimes and HMI/SDK components across BeagleBone, emPC-A/iMX6, IOT2000, Linux, PF...
CVE-2022-22514
CVE-2022-22514 is a CODESYS vulnerability where an authenticated, remote attacker can access a dereferenced pointer in a request, enabling local memory overwrite in CmpTraceMgr and potentially causing a crash. The primary description notes lack of read/write control over values and potential cras...
CVE-2022-22516
The CVE-2022-22516 entry concerns the SysDrv3S driver in the CODESYS Control runtime system on Windows, where a local attacker can read and write within restricted memory space. The connected records confirm the affected component (SysDrv3S driver) and the underlying issue enabling memory-space a...
CVE-2021-21864
CVE-2021-21864 affects CODESYS Development System 3.5.16–3.5.17. A file-based input (APStartupCulture) is deserialized via BinaryFormatter in ComponentManager.StartupCultureSettings, enabling arbitrary command execution on exploitation. The TALOS report provides concrete details of the vulnerable...
CVE-2022-22517
CVE-2022-22517 describes a remote, unauthenticated attack against CODESYS communication components: an attacker can guess a valid channel ID and inject packets, causing an existing communication channel to be disrupted/closed. The CVSS data from NVD (3.1) assigns a high base impact (availability ...
CVE-2022-22513
CVE-2022-22513 affects CODESYS products; an authenticated remote attacker can trigger a null pointer dereference in the CmpSettings component, causing a crash. The available connected documents describe the vulnerability class and impact (crash) but do not publish concrete affected versions or a ...
CVE-2022-30791
CODESYS V3 contains a vulnerability in the CmpBlkDrvTcp component where uncontrolled resource consumption can cause the system to block new TCP connections. Existing connections remain unaffected. This CVE-2022-30791 entry is corroborated by multiple sources (e.g., NVD), but the connected documen...
CVE-2021-29241
CVE-2021-29241 affects CODESYS Gateway V3 prior to version 3.5.16.70. The vulnerability is a NULL pointer dereference in the CmpGateway component that can lead to a denial-of-service condition. Several sources corroborate the issue and its association with the Gateway V3 product line (3S‑Smart/CO...
CVE-2022-31805
The CVE-2022-31805 issue affects the CODESYS Development System (multiple components across several versions) where passwords used to authenticate between clients and servers are transmitted in plaintext. Public details in the NVD entry show network-based exploitation with partial confidentiality...
CVE-2023-3663
CVE-2023-3663 concerns the CODESYS Development System: versions 3.5.11.0–3.5.19.20 suffer a missing integrity check in the HTTP notification content, allowing an unauthenticated remote attacker to manipulate notifications sent by the CODESYS notification server. This can enable MITM-style manipul...
CVE-2021-21865
CVE-2021-21865 affects CODESYS Development System 3.5.16. The vulnerability is in PackageManagement.plugin ExtensionMethods.Clone(), which leverages BinaryFormatter to serialize/deserialize and exposes deserialization of untrusted data, enabling arbitrary command execution on exploitation (as des...
CVE-2023-37545
CVE-2023-37545 affects multiple Codesys products; after successful user authentication, crafted network requests can make CmpApp read from an invalid address, potentially causing a denial-of-service. No connected documents provide concrete version/product remediation details in this dataset.
CVE-2023-37555
Technical details about CVE-2023-37555 are not publicly available in the provided connected documents. The initial description mentions a possible DoS via CmpAppBP but no vendor/product/version specifics or fixes are given here. Monitor for updates.
CVE-2022-4224
CVE-2022-4224 affects CODESYS v3 in multiple versions. A remote, low-privilege attacker could read/modify system files and OS resources or cause a DoS. CVSSv3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (base score 8.8). No concrete remediation details are provided in the supplied documents; ex...
CVE-2021-29239
CVE-2021-29239 (CODESYS Development System) affects CODESYS Development System 3 prior to 3.5.17.0. The issue arises when the system displays or executes malicious documents/files embedded in libraries without validating their integrity, enabling a local attacker to cause high-impact outcomes (as...
CVE-2023-3669
CVE-2023-3669 affects CODESYS Development System prior to version 3.5.19.20. The issue is due to missing brute-force protection in the import dialog, allowing a local attacker to perform unlimited password-guess attempts. Affected product: CODESYS Development System (pre-3.5.19.20). Impact is lim...
CVE-2021-21866
CODESYS Development System 3.5.16–3.5.17 contains an unsafe deserialization vulnerability in the ObjectManager.plugin’s ProfileInformation.ProfileData. The issue arises from using BinaryFormatter.Deserialize on untrusted input when loading the profile data (ProfileData property), enabling a craft...
CVE-2023-37550
CVE-2023-37550 affects multiple Codesys products; after successful user authentication, crafted network requests can cause the CmpApp component to read from an invalid address, potentially causing a denial-of-service. CVSSv3.1 base score 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). No explicit reme...
CVE-2018-20025
CVE-2018-20025 concerns a weakness in CODESYS V3 products prior to version 3.5.14.0 where insufficiently random values are used, impacting confidentiality and integrity. Public disclosures and multiple advisories (NVD entry and ICS/CISA notes) describe risks in the CODESYS Control runtime, web se...
CVE-2021-29240
CVE-2021-29240 affects the CODESYS Development System Package Manager prior to version 3.5.17.0, which does not verify the validity of packages before installation, enabling potentially malicious packages to be installed. Public sources (NVD, Red Hat advisory) describe this as an insufficient dat...
CVE-2023-37557
CVE-2023-37557 affects multiple Codesys products via the CmpAppBP (and related components) in the Codesys Runtime System. After user authentication, specially crafted remote network requests can cause CmpAppBP to overwrite a heap-based buffer, potentially leading to a denial-of-service condition....
CVE-2023-37558
CVE-2023-37558 affects multiple Codesys products using the CODESYS Runtime System (RTS). After user authentication, specially crafted network requests with inconsistent content can cause the CmpAppForce component to read from an invalid address, potentially enabling a denial-of-service condition....
CVE-2023-37546
The CVE-2023-37546 entry concerns multiple Codesys products (in multiple versions) where, after successful user authentication, crafted network requests with inconsistent content can cause the CmpApp component to read from an invalid address, potentially leading to a denial-of-service. The impact...
CVE-2023-37556
In CVE-2023-37556, multiple Codesys products are affected. After user authentication, specifically crafted network requests with inconsistent content can cause the CmpAppBP component to read from an invalid address, potentially leading to a denial-of-service. The vulnerability is within the Codes...
CVE-2020-12068
CVE-2020-12068 affects CODESYS Development System prior to 3.5.16.0, with WebVisu and Remote TargetVisu susceptible to privilege escalation. The issue can be exploited remotely over the network with low attack complexity and no authentication required, enabling an attacker to escalate privileges ...
CVE-2021-21863
The TALOS report documents a deserialization vulnerability in CODESYS Development System 3.5.16–3.5.17. The flaw is in ComponentModel.Profile.FromFile(), which deserializes a profile via BinaryFormatter.Deserialize, a known unsafe pattern for untrusted input. This can lead to arbitrary code execu...
CVE-2022-30792
CVE-2022-30792 concerns CODESYS V3’s CmpChannelServer, where an uncontrolled resource consumption flaw allows an unauthorized attacker to block new communication channel connections. The impact is limited to availability (existing connections remain functional), with CVSS indicating high impact (...
CVE-2023-37547
CVE-2023-37547 affects multiple Codesys products using the Codesys Runtime System. After successful user authentication, crafted network requests with inconsistent content can cause CmpApp to read from an invalid address, potentially resulting in a denial-of-service. The description also referenc...
CVE-2023-3662
CVE-2023-3662 affects CODESYS Development System versions 3.5.17.0 through 3.5.19.19 (prior to 3.5.19.20). The vulnerability arises from an Uncontrolled Search Path Element (CWE-427) that allows execution of binaries from the current working directory in the user’s context. Impact, as described i...
CVE-2023-3670
CVE-2023-3670 affects CODESYS Development System versions 3.5.9.0–3.5.17.0 and CODESYS Scripting 4.0.0.0–4.1.0.0. The issue arises from unsafe directory permissions that allow a locally authenticated attacker to place malicious scripts which can be executed by legitimate users, potentially escala...
CVE-2023-37548
CVE-2023-37548 affects multiple Codesys products; after successful user authentication, crafted network requests with inconsistent content can cause the CmpApp component to read from an invalid address, potentially leading to a denial-of-service. Root cause: improper handling of crafted input in ...
CVE-2023-37551
The CVE-2023-37551 issue affects Codesys products where, after user authentication, crafted requests can use the CmpApp component to download files with arbitrary extensions to the controller, bypassing type filtering and potentially compromising the CODESYS Runtime integrity. The attack paths de...
CVE-2023-37559
CVE-2023-37559 affects multiple Codesys products that use the CODESYS Runtime System. The issue allows an authenticated user to send crafted network requests that cause the CmpAppForce (and related CmpAppBP) components to read from invalid memory addresses, potentially enabling a denial‑of‑servic...
CVE-2023-37552
Technical details for CVE-2023-37552 are not provided in the supplied documents; no specific affected products, root cause, or remediation are present. Monitor for updates from official advisories.
CVE-2023-37554
CVE-2023-37554 concerns multiple Codesys products where, after user authentication, crafted network requests to the CmpAppBP/CmpApp component can cause reads from an invalid address, potentially resulting in denial-of-service. The issue is reported across multiple Codesys versions; it is distinct...
CVE-2023-37549
Technical details about CVE-2023-37549 are not provided in the connected documents. Public info mentions a DoS in Codesys CmpApp after authentication, but specifics (affected versions, exploit paths, or fixes) are not disclosed here. Monitor for updates.
CVE-2023-37553
Technical details for CVE-2023-37553 are not publicly available in the provided documents. Monitoring for updates is advised.
CVE-2026-44468
CVE-2026-44468 affects CODESYS Development System. During administrative installation, the process creates a directory with insecure default permissions, allowing a low‑privileged local attacker to modify a temporary file that defines components to be installed. This enables local privilege escal...
CVE-2026-44469
The CVE-2026-44469 entry concerns CODESYS Development System. During administrative installation, installation files are extracted to a temporary directory with incorrect default permissions. A low-privileged local attacker could exploit a TOCTOU race condition within a practical time window to r...