KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect access control. Credentials will always be returned in plain-text from the local server during the KACO XP100U authentication process, regardless of whatever passwords have been provided, which leads to an information disclosure vulnerability.
References
Link | Resource |
---|---|
https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html | Exploit Technical Description Third Party Advisory |
https://twitter.com/Kevin2600/status/1351189347501023238 | Third Party Advisory |
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 | Third Party Advisory US Government Resource |
https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html | Exploit Technical Description Third Party Advisory |
https://twitter.com/Kevin2600/status/1351189347501023238 | Third Party Advisory |
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 | Third Party Advisory US Government Resource |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 06:21
Type | Values Removed | Values Added |
---|---|---|
References | () https://tiger-team-1337.blogspot.com/2021/01/kaco-xp100u-hmi-credential-leak.html - Exploit, Technical Description, Third Party Advisory | |
References | () https://twitter.com/Kevin2600/status/1351189347501023238 - Third Party Advisory | |
References | () https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01 - Third Party Advisory, US Government Resource |
Information
Published : 2021-02-23 15:15
Updated : 2024-11-21 06:21
NVD link : CVE-2021-3252
Mitre link : CVE-2021-3252
CVE.ORG link : CVE-2021-3252
JSON object : View
Products Affected
kaco-newenergy
- xp100u
- xp100u_firmware
CWE
CWE-522
Insufficiently Protected Credentials