Proficy Machine Edition
by Emerson
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-16353 | Hig | 0.49 | 7.5 | 0.01 | Sep 16, 2019 | Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device. | ||
| CVE-2022-2792 | Med | 0.43 | 6.6 | 0.00 | Aug 19, 2022 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists. | ||
| CVE-2022-2791 | Med | 0.38 | 5.9 | 0.00 | Nov 22, 2022 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-434 Unrestricted Upload of File with Dangerous Type, and will upload any file written into the PLC logic folder to the connected PLC. | ||
| CVE-2022-2793 | Med | 0.38 | 5.9 | 0.00 | Aug 19, 2022 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol. | ||
| CVE-2022-2790 | Med | 0.38 | 5.9 | 0.00 | Aug 19, 2022 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-347 Improper Verification of Cryptographic Signature, and does not properly verify compiled logic (PDT files) and data blocks data (BLD/BLK files). | ||
| CVE-2021-29298 | Med | 0.35 | 5.3 | 0.01 | Jul 30, 2021 | Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module "fxVPStatcTcp.dll". | ||
| CVE-2021-29297 | Med | 0.35 | 5.3 | 0.01 | Jul 30, 2021 | Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll". | ||
| CVE-2022-2789 | Med | 0.31 | 4.7 | 0.00 | Aug 19, 2022 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic. | ||
| CVE-2022-2788 | Low | 0.25 | 3.9 | 0.00 | Aug 19, 2022 | Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer… |
- risk 0.49cvss 7.5epss 0.01
Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device.
- risk 0.43cvss 6.6epss 0.00
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists.
- risk 0.38cvss 5.9epss 0.00
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-434 Unrestricted Upload of File with Dangerous Type, and will upload any file written into the PLC logic folder to the connected PLC.
- risk 0.38cvss 5.9epss 0.00
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol.
- risk 0.38cvss 5.9epss 0.00
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-347 Improper Verification of Cryptographic Signature, and does not properly verify compiled logic (PDT files) and data blocks data (BLD/BLK files).
- risk 0.35cvss 5.3epss 0.01
Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module "fxVPStatcTcp.dll".
- risk 0.35cvss 5.3epss 0.01
Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll".
- risk 0.31cvss 4.7epss 0.00
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic.
- risk 0.25cvss 3.9epss 0.00
Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer…