Headline
CVE-2023-33178: XIoT Vulnerability Disclosure Dashboard
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the /dataset/data/{id} API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the filter parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
Track all XIoT vulnerabilities disclosed by Team82, the industry’s best cybersecurity vulnerability and threat research team. Team82 finds software and firmware vulnerabilities before threat actors can exploit them.
Publication Date
CVE ID
Vendor
Product
Details
Date 05-23-2023
CVE ID CVE-2023-32787
Vendor OPC Foundation
Product OPC UA Legacy Java Stack
See Details
Date 05-16-2023
CVE ID CVE-2023-25183
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-28386
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-28412
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-28649
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-31193
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-31240
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-31241
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-16-2023
CVE ID CVE-2023-31245
Vendor Snap One
Product OvrC Cloud, OvrC Pro
See Details
Date 05-11-2023
CVE ID CVE-2023-2586
Vendor Teltonika Networks
Product Teltonika Remote Management System
See Details
Date 05-11-2023
CVE ID CVE-2023-2588
Vendor Teltonika Networks
Product Teltonika Remote Management System
See Details
Date 05-11-2023
CVE ID CVE-2023-32348
Vendor Teltonika Networks
Product Teltonika Remote Management System
See Details
Date 05-11-2023
CVE ID CVE-2023-32349
Vendor Teltonika Networks
Product Teltonika RUT
See Details
Date 05-11-2023
CVE ID CVE-2023-32350
Vendor Teltonika Networks
Product Teltonika RUT
See Details
Date 05-11-2023
CVE ID CVE-2023-32346
Vendor Teltonika Networks
Product Teltonika Remote Management System
See Details
Date 05-11-2023
CVE ID CVE-2023-32347
Vendor Teltonika Networks
Product Teltonika Remote Management System
See Details
Date 05-11-2023
CVE ID CVE-2023-2587
Vendor Teltonika Networks
Product Teltonika Remote Management System
See Details
Date 05-10-2023
CVE ID CVE-2023-1731
Vendor Meinberg
Product LANTIME LTOS
See Details
Date 05-04-2023
CVE ID CVE-2022-46658
Vendor Dataprobe
Product iBoot-PDU
See Details
Date 05-04-2023
CVE ID CVE-2022-46738
Vendor Dataprobe
Product iBoot-PDU
See Details
Date 05-04-2023
CVE ID CVE-2022-47311
Vendor Dataprobe
Product iBoot-PDU
See Details
Date 05-04-2023
CVE ID CVE-2022-47320
Vendor Dataprobe
Product iBoot-PDU
See Details
Date 05-04-2023
CVE ID CVE-2022-4945
Vendor Dataprobe
Product iBoot-PDU
See Details
Date 05-04-2023
CVE ID CVE-2023-31185
Vendor ROZCOM
Product ROZCOM client
See Details
Date 05-04-2023
CVE ID CVE-2023-31184
Vendor ROZCOM
Product ROZCOM client
See Details
1 …
Disclosure Policy
Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.
Public Email & PGP Key
Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.
Related news
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems. Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have
The Dataprobe cloud usernames and passwords are stored in plain text in a specific file. Any user able to read this specific file from the device could compromise other devices connected to the user's cloud.
Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright.
Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web.
Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices.
The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to block OPC UA server applications via uncontrolled resource consumption so that they can no longer serve client applications.
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and
In LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.