Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46382: [CVE-2023-46380, CVE-2023-46381, CVE-2023-46382] Multiple vulnerabilities in Loytec products

LOYTEC LINX-212 firmware 6.2.4 and LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices use cleartext HTTP for login.

CVE
Open in Source
#vulnerability#web#auth#zero_day

Full Disclosure mailing list archives

From: Chizuru Toyama <chizuru_toyama () txone com>
Date: Fri, 3 Nov 2023 05:44:39 +0000

[+] CVE : CVE-2023-46380, CVE-2023-46381, CVE-2023-46382 [+] Title : Multiple vulnerabilities in Loytec LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels [+] Vendor : LOYTEC electronics GmbH [+] Affected Product(s) : LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3 [+] Affected Components : LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels [+] Discovery Date : 01-Sep-2021 [+] Publication date : 03-Nov-2023 [+] Discovered by : Chizuru Toyama of TXOne networks

[Vulnerability Description]

CVE-2023-46380 : Insecure Permissions Password change request on the web interface on LOYTEC devices is sent in clear text over HTTP, and this allows information theft and account takeover via network sniffing.

CVE-2023-46381 : Improper Access Control Authentication is missing on the web user interface for the preinstalled version of LWEB-802. If there is a project on a device, an unauthenticated user could create a new project on a web and access/control a graphical interface. An unauthenticated user also could edit or delete a current web project, change settings and delete system logs etc… http://<IP>:<port>/lweb802_pre/

CVE-2023-46382 : Insecure Permissions The web user interface on Loytec devices requires login credentials for critical information (Data, Commission, Config, etc…); however, username and password information is sent in clear text over HTTP. If anyone sniff network traffic, they could easily steal credentials.

[Timeline]

01-Sep-2021 : Vulnerabilities discovered 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response) 07-Oct-2022 : ICS CERT reported to vendor (no response) 03-Nov-2023 : Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [CVE-2023-46380, CVE-2023-46381, CVE-2023-46382] Multiple vulnerabilities in Loytec products Chizuru Toyama (Nov 03)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE