Source
Zero Science Lab
The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security.
The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure.
The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security.
The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a user's password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the device's system security.
The application suffers from an unquoted search path issue impacting the service 'Tosibox Key Service' for Windows deployed as part of Tosibox software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
The application implements client-side restrictions that can be bypassed by editing the HTML source page that enable administrative operations.
The transmitter has a hidden super administrative account 'factory' that has the hardcoded password 'inokram25' that allows full access to the web management interface configuration. The factory account is not visible in the users page of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /js_files/LogIn_local.js script file. Attackers could exploit this vulnerability by logging in using the backdoor credentials for the web panel gaining also additional functionalities including: unit configuration, parameter modification, EEPROM overwrite, clearing DB, and factory log modification.
Unauthorized user could exploit this vulnerability to change his/her password, potentially gaining unauthorized access to sensitive information or performing actions beyond her/his designated permissions.
The marKoni FM transmitters are susceptible to unauthenticated remote code execution with root privileges. An attacker can exploit a command injection vulnerability by manipulating the Email settings' WAN IP info service, which utilizes the 'wget' module. This allows the attacker to gain unauthorized access to the system with administrative privileges by exploiting the 'url' parameter in the HTTP GET request to ekafcgi.fcgi.
OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to edit the landing/about page. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.