CVE-2021-3252

KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. Credentials will always be returned in plain-text from the local server during the KACO XP100U authentication process, regardless of whatever passwords have been provided, which leads to an information disclosure vulnerability.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:kaco-newenergy:xp100u_firmware:xp-java_2.0:*:*:*:*:*:*:*
cpe:2.3:h:kaco-newenergy:xp100u:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:21

Type Values Removed Values Added
References () https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html - Exploit, Technical Description, Third Party Advisory () https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html - Exploit, Technical Description, Third Party Advisory
References () https://twitter.com/Kevin2600/status/1351189347501023238 - Third Party Advisory () https://twitter.com/Kevin2600/status/1351189347501023238 - Third Party Advisory
References () https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 - Third Party Advisory, US Government Resource () https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 - Third Party Advisory, US Government Resource

Information

Published : 2021-02-23 15:15

Updated : 2024-11-21 06:21


NVD link : CVE-2021-3252

Mitre link : CVE-2021-3252

CVE.ORG link : CVE-2021-3252


JSON object : View

Products Affected

kaco-newenergy

  • xp100u
  • xp100u_firmware
CWE
CWE-522

Insufficiently Protected Credentials