Multiple vulnerabilities on Full Compass Systems WIC1200
WIC1200, version 1.1.
INCIBE has coordinated the publication of 3 vulnerabilities that affects WIC1200 versión 1.1, hardware device to for a web controller, with HIGH severity which has been discovered by HADESS.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:
- CVE-2024-0554: 5.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L | CWE-79.
- CVE-2024-0555: 4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L | CWE-352.
- CVE-2024-0556: 7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N | CWE-261.
There is no solution reported at the moment.
CVE-2023-0122: A Cross-site scripting (XSS) vulnerability has been found on WIC1200, affecting version 1.1. An authenticated user could store a malicious javascript payload in the device model parameter via '/setup/diags_ir_learn.asp', allowing the attacker to retrieve the session details of another user.
CVE-2023-0122: A Cross-Site Request Forgery (CSRF) vulnerability has been found on WIC1200, affecting version 1.1. An authenticated user could lead another user into executing unwanted actions inside the application they are logged in. This vulnerability is possible due to the lack of propper CSRF token implementation.
CVE-2023-0122: A Weak Cryptography for Passwords vulnerability has been detected on WIC200 affecting version 1.1. This vulnerability allows a remote user to intercept the traffic and retrieve the credentials from another user and decode it in base64 allowing the attacker to see the credentials in plain text.