Filtered by vendor Ge
Subscribe
Total
128 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27430 | 1 Ge | 1 Ur Bootloader Binary | 2023-12-10 | 4.6 MEDIUM | 6.8 MEDIUM |
| GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR. | |||||
| CVE-2021-27428 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. | |||||
| CVE-2021-27426 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| GE UR IED firmware versions prior to version 8.1x with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user. | |||||
| CVE-2020-25193 | 1 Ge | 6 Rt430, Rt430 Firmware, Rt431 and 3 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| By having access to the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06, attackers would be able to intercept and decrypt encrypted traffic through an HTTPS connection. | |||||
| CVE-2020-36549 | 1 Ge | 2 Voluson S8, Voluson S8 Firmware | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability classified as critical was found in GE Voluson S8. Affected is the underlying Windows XP operating system. Missing patches might introduce an excessive attack surface. Access to the local network is required for this attack to succeed. | |||||
| CVE-2020-36548 | 1 Ge | 2 Voluson S8, Voluson S8 Firmware | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability classified as problematic has been found in GE Voluson S8. Affected is the file /uscgi-bin/users.cgi of the Service Browser. The manipulation leads to improper authentication and elevated access possibilities. It is possible to launch the attack on the local host. | |||||
| CVE-2021-27422 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| GE UR firmware versions prior to version 8.1x web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication. | |||||
| CVE-2021-27454 | 1 Ge | 2 Reason Dr60, Reason Dr60 Firmware | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions prior to 02A04.1). | |||||
| CVE-2021-27452 | 1 Ge | 2 Mu320e, Mu320e Firmware | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1). | |||||
| CVE-2021-27448 | 1 Ge | 2 Mu320e, Mu320e Firmware | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| A miscommunication in the file system allows adversaries with access to the MU320E to escalate privileges on the MU320E (all firmware versions prior to v04A00.1). | |||||
| CVE-2021-27450 | 1 Ge | 2 Mu320e, Mu320e Firmware | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1). | |||||
| CVE-2021-31477 | 1 Ge | 2 Reason Rpv311 Firmware, Rpv311 | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-coded default credentials. An attacker can leverage this vulnerability to execute code in the context of the download user. Was ZDI-CAN-11852. | |||||
| CVE-2021-27440 | 1 Ge | 2 Reason Dr60, Reason Dr60 Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1). | |||||
| CVE-2021-27438 | 1 Ge | 2 Reason Dr60, Reason Dr60 Firmware | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1). | |||||
| CVE-2020-16242 | 1 Ge | 4 S2020, S2020 Firmware, S2024 and 1 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow an attacker to trick application users into performing critical application actions that include, but are not limited to, adding and updating accounts. | |||||
| CVE-2020-16246 | 1 Ge | 4 S2020, S2020 Firmware, S2024 and 1 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow attackers to trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. | |||||
| CVE-2019-18255 | 1 Ge | 1 Ifix | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
| HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation. | |||||
| CVE-2020-27267 | 4 Ge, Ptc, Rockwellautomation and 1 more | 7 Industrial Gateway Server, Kepware Kepserverex, Opc-aggregator and 4 more | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| KEPServerEX v6.0 to v6.9, ThingWorx Kepware Server v6.8 and v6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server v7.68.804 and v7.66, and Software Toolbox TOP Server all 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data. | |||||
| CVE-2020-27263 | 4 Ge, Ptc, Rockwellautomation and 1 more | 7 Industrial Gateway Server, Kepware Kepserverex, Opc-aggregator and 4 more | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data. | |||||
| CVE-2020-16240 | 1 Ge | 1 Asset Performance Management Classic | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference (IDOR) vulnerability allows user account data to be downloaded in JavaScript object notation (JSON) format by users who should not have access to such functionality. An attacker can download sensitive data related to user accounts without having the proper privileges. | |||||