1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Low attack complexity
- Vendor: Advantech
- Equipment: ADAM-5550
- Vulnerabilities: Weak Encoding for Password, Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Advantech’s ADAM, are affected:
- Advantech ADAM 5550: All versions
3.2 Vulnerability Overview
3.2.1 WEAK ENCODING FOR PASSWORD CWE-261
User credentials are shared with a low level of encryption, consisting of base 64 encoding.
CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
Advantech ADAM 5550’s web application includ
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: