Multiple vulnerabilities in Planet IGS-4215-16T2S
IGS-4215-16T2S, firmware version 1.305b210528.
INCIBE has coordinated the publication of 3 vulnerabilities, 2 of high severity and 1 medium, affecting Planet IGS-4215-16T2S, firmware version 1.305b210528, an industrial switch to improve the availability of critical business applications, which have been discovered by J. Daniel Martinez (dan1t0) of IOActive.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2024-2740: 7.7 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-200.
- CVE-2024-2741: 7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | CWE-352.
- CVE-2024-2742: 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | CWE-78.
Vulnerability fixed in firmware version 1.305b231218.
CVE-2024-2740: information exposure vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. This vulnerability could allow a remote attacker to access some administrative resources due to lack of proper management of the Switch web interface.
CVE-2024-2741: Cross-Site Request Forgery (CSRF) vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. This vulnerability could allow a remote attacker to trick some authenticated users into performing actions in their session, such as adding or updating accounts through the Switch web interface.
CVE-2024-2742: operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality.
