VYPR

ICS Advisories

by Cisagov

CVEs (13)

  • CVE-2023-41084CriSep 18, 2023
    risk 0.65cvss 10.0epss 0.01

    Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.

  • CVE-2022-2197CriJun 30, 2022
    risk 0.64cvss 9.8epss 0.01

    By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations.

  • CVE-2022-2103CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.01

    An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.

  • CVE-2021-38477CriOct 22, 2021
    risk 0.64cvss 9.8epss 0.01

    There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files.

  • CVE-2022-1521CriJun 24, 2022
    risk 0.59cvss 9.1epss 0.01

    LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.

  • CVE-2021-42536HigOct 22, 2021
    risk 0.52cvss 8.0epss 0.01

    The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.

  • CVE-2023-39452HigSep 18, 2023
    risk 0.49cvss 7.5epss 0.01

    The web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.

  • CVE-2022-1704HigAug 5, 2022
    risk 0.49cvss 7.6epss 0.01

    Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.

  • CVE-2021-38455HigOct 22, 2021
    risk 0.48cvss 7.3epss 0.01

    The affected product’s OS Service does not verify any given parameter. A user can supply any type of parameter that will be passed to inner calls without checking the type of the parameter or the value.

  • CVE-2023-50703MedDec 20, 2023
    risk 0.41cvss 6.3epss 0.00

    An attacker with network access could perform a man-in-the-middle (MitM) attack and capture sensitive information to gain unauthorized access to the application.

  • CVE-2021-42699MedNov 5, 2021
    risk 0.37cvss 5.7epss 0.00

    The affected product is vulnerable to cookie information being transmitted as cleartext over HTTP. An attacker can capture network traffic, obtain the user’s cookie and take over the account.

  • CVE-2020-14479MedApr 1, 2022
    risk 0.35cvss 5.3epss 0.01

    Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server

  • CVE-2022-2137MedJul 22, 2022
    risk 0.32cvss 4.9epss 0.01

    The affected product is vulnerable to two SQL injections that require high privileges for exploitation and may allow an unauthorized attacker to disclose information