Search
Find a vulnerability
Search criteria
6 vulnerabilities found for adam-5630_firmware by advantech
CVE-2024-39275 (GCVE-0-2024-39275)
Vulnerability from nvd – Published: 2024-09-27 17:38 – Updated: 2024-09-27 18:14
VLAI
Title
Advantech ADAM-5630 Use of Persistent Cookies Containing Sensitive Information
Summary
Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a
session is closed. Forging requests with a legitimate cookie, even if
the session was terminated, allows an unauthorized attacker to act with
the same level of privileges of the legitimate user.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Advantech | ADAM-5630 |
Affected:
0 , < v2.5.2
(custom)
|
|
| advantech | adam-5630_firmware |
Affected:
0 , < 2.5.2
(custom)
cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adam-5630_firmware",
"vendor": "advantech",
"versions": [
{
"lessThan": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:11:22.063861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:14:05.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAM-5630",
"vendor": "Advantech",
"versions": [
{
"lessThan": "v2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez and Luis Villalba P\u00e9rez of S21sec reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a \nsession is closed. Forging requests with a legitimate cookie, even if \nthe session was terminated, allows an unauthorized attacker to act with \nthe same level of privileges of the legitimate user."
}
],
"value": "Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a \nsession is closed. Forging requests with a legitimate cookie, even if \nthe session was terminated, allows an unauthorized attacker to act with \nthe same level of privileges of the legitimate user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-539",
"description": "CWE-539",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:38:20.408Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users upgrade their ADAM-5630 devices to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-1WFJLZ4\"\u003eversion 2.5.2\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-24-270-02",
"discovery": "EXTERNAL"
},
"title": "Advantech ADAM-5630 Use of Persistent Cookies Containing Sensitive Information",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-39275",
"datePublished": "2024-09-27T17:38:20.408Z",
"dateReserved": "2024-06-26T15:26:29.592Z",
"dateUpdated": "2024-09-27T18:14:05.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34542 (GCVE-0-2024-34542)
Vulnerability from nvd – Published: 2024-09-27 17:45 – Updated: 2024-09-27 18:07
VLAI
Title
Advantech ADAM-5630 Weak Encoding for Password
Summary
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34542",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:07:05.794065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:07:43.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAM-5630",
"vendor": "Advantech",
"versions": [
{
"lessThan": "v2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez and Luis Villalba P\u00e9rez of S21sec reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process."
}
],
"value": "Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-261",
"description": "CWE-261",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:45:02.820Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users upgrade their ADAM-5630 devices to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-1WFJLZ4\"\u003eversion 2.5.2\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-24-270-02",
"discovery": "EXTERNAL"
},
"title": "Advantech ADAM-5630 Weak Encoding for Password",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-34542",
"datePublished": "2024-09-27T17:45:02.820Z",
"dateReserved": "2024-06-26T15:26:29.582Z",
"dateUpdated": "2024-09-27T18:07:43.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28948 (GCVE-0-2024-28948)
Vulnerability from nvd – Published: 2024-09-27 17:41 – Updated: 2024-09-27 18:17
VLAI
Title
Advantech ADAM-5630 Cross-Site Request Forgery
Summary
Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same
origin policy, which is designed to prevent different websites from
interfering with each other.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Advantech | ADAM-5630 |
Affected:
0 , < v2.5.2
(custom)
|
|
| advantech | adam-5630_firmware |
Affected:
0 , < 2.5.2
(custom)
cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adam-5630_firmware",
"vendor": "advantech",
"versions": [
{
"lessThan": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:11:20.715131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:17:57.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAM-5630",
"vendor": "Advantech",
"versions": [
{
"lessThan": "v2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez and Luis Villalba P\u00e9rez of S21sec reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same \norigin policy, which is designed to prevent different websites from \ninterfering with each other."
}
],
"value": "Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same \norigin policy, which is designed to prevent different websites from \ninterfering with each other."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:42:15.478Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users upgrade their ADAM-5630 devices to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-1WFJLZ4\"\u003eversion 2.5.2\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-24-270-02",
"discovery": "EXTERNAL"
},
"title": "Advantech ADAM-5630 Cross-Site Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-28948",
"datePublished": "2024-09-27T17:41:07.875Z",
"dateReserved": "2024-06-26T15:26:29.587Z",
"dateUpdated": "2024-09-27T18:17:57.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34542 (GCVE-0-2024-34542)
Vulnerability from cvelistv5 – Published: 2024-09-27 17:45 – Updated: 2024-09-27 18:07
VLAI
Title
Advantech ADAM-5630 Weak Encoding for Password
Summary
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34542",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:07:05.794065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:07:43.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAM-5630",
"vendor": "Advantech",
"versions": [
{
"lessThan": "v2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez and Luis Villalba P\u00e9rez of S21sec reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process."
}
],
"value": "Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-261",
"description": "CWE-261",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:45:02.820Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users upgrade their ADAM-5630 devices to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-1WFJLZ4\"\u003eversion 2.5.2\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-24-270-02",
"discovery": "EXTERNAL"
},
"title": "Advantech ADAM-5630 Weak Encoding for Password",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-34542",
"datePublished": "2024-09-27T17:45:02.820Z",
"dateReserved": "2024-06-26T15:26:29.582Z",
"dateUpdated": "2024-09-27T18:07:43.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28948 (GCVE-0-2024-28948)
Vulnerability from cvelistv5 – Published: 2024-09-27 17:41 – Updated: 2024-09-27 18:17
VLAI
Title
Advantech ADAM-5630 Cross-Site Request Forgery
Summary
Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same
origin policy, which is designed to prevent different websites from
interfering with each other.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Advantech | ADAM-5630 |
Affected:
0 , < v2.5.2
(custom)
|
|
| advantech | adam-5630_firmware |
Affected:
0 , < 2.5.2
(custom)
cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adam-5630_firmware",
"vendor": "advantech",
"versions": [
{
"lessThan": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:11:20.715131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:17:57.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAM-5630",
"vendor": "Advantech",
"versions": [
{
"lessThan": "v2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez and Luis Villalba P\u00e9rez of S21sec reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same \norigin policy, which is designed to prevent different websites from \ninterfering with each other."
}
],
"value": "Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same \norigin policy, which is designed to prevent different websites from \ninterfering with each other."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:42:15.478Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users upgrade their ADAM-5630 devices to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-1WFJLZ4\"\u003eversion 2.5.2\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-24-270-02",
"discovery": "EXTERNAL"
},
"title": "Advantech ADAM-5630 Cross-Site Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-28948",
"datePublished": "2024-09-27T17:41:07.875Z",
"dateReserved": "2024-06-26T15:26:29.587Z",
"dateUpdated": "2024-09-27T18:17:57.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39275 (GCVE-0-2024-39275)
Vulnerability from cvelistv5 – Published: 2024-09-27 17:38 – Updated: 2024-09-27 18:14
VLAI
Title
Advantech ADAM-5630 Use of Persistent Cookies Containing Sensitive Information
Summary
Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a
session is closed. Forging requests with a legitimate cookie, even if
the session was terminated, allows an unauthorized attacker to act with
the same level of privileges of the legitimate user.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Advantech | ADAM-5630 |
Affected:
0 , < v2.5.2
(custom)
|
|
| advantech | adam-5630_firmware |
Affected:
0 , < 2.5.2
(custom)
cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adam-5630_firmware",
"vendor": "advantech",
"versions": [
{
"lessThan": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:11:22.063861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:14:05.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAM-5630",
"vendor": "Advantech",
"versions": [
{
"lessThan": "v2.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez and Luis Villalba P\u00e9rez of S21sec reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a \nsession is closed. Forging requests with a legitimate cookie, even if \nthe session was terminated, allows an unauthorized attacker to act with \nthe same level of privileges of the legitimate user."
}
],
"value": "Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a \nsession is closed. Forging requests with a legitimate cookie, even if \nthe session was terminated, allows an unauthorized attacker to act with \nthe same level of privileges of the legitimate user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-539",
"description": "CWE-539",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:38:20.408Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users upgrade their ADAM-5630 devices to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-1WFJLZ4\"\u003eversion 2.5.2\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-24-270-02",
"discovery": "EXTERNAL"
},
"title": "Advantech ADAM-5630 Use of Persistent Cookies Containing Sensitive Information",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-39275",
"datePublished": "2024-09-27T17:38:20.408Z",
"dateReserved": "2024-06-26T15:26:29.592Z",
"dateUpdated": "2024-09-27T18:14:05.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}