Vulnerabilities (CVE)

Filtered by vendor Moxa Subscribe
Total 285 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-10700 1 Moxa 2 Awk-3121, Awk-3121 Firmware 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
CVE-2015-6458 1 Moxa 1 Softcms 2024-02-28 6.8 MEDIUM 8.8 HIGH
Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow condition that may crash or allow remote code execution. Moxa released SoftCMS version 1.4 on June 1, 2015, to address the vulnerability.
CVE-2019-6526 1 Moxa 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A series Version 3.8 and prior use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password.
CVE-2018-10692 1 Moxa 2 Awk-3121, Awk-3121 Firmware 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
CVE-2018-10701 1 Moxa 2 Awk-3121, Awk-3121 Firmware 2024-02-28 6.8 MEDIUM 8.8 HIGH
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
CVE-2018-11421 1 Moxa 4 Oncell G3150-hspa, Oncell G3150-hspa-t, Oncell G3150-hspa-t Firmware and 1 more 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. The protocol is vulnerable to remote unauthenticated disclosure of sensitive information, including the administrator's password. Under certain conditions, it's also possible to retrieve additional information, such as content of HTTP requests to the device, or the previously used password, due to memory leakages.
CVE-2019-6561 1 Moxa 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more 2024-02-28 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery has been identified in Moxa IKS and EDS, which may allow for the execution of unauthorized actions on the device.
CVE-2019-6518 1 Moxa 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
Moxa IKS and EDS store plaintext passwords, which may allow sensitive information to be read by someone with access to the device.
CVE-2018-18396 1 Moxa 1 Thingspro 2024-02-28 7.5 HIGH 9.8 CRITICAL
Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2018-18393 1 Moxa 1 Thingspro 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2018-16282 1 Moxa 2 Edr-810, Edr-810 Firmware 2024-02-28 9.0 HIGH 8.8 HIGH
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-19660 1 Moxa 2 Nport W2x50a, Nport W2x50a Firmware 2024-02-28 9.0 HIGH 8.8 HIGH
An exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/webSettingProfileSecurity can result in running OS commands as the root user.
CVE-2018-18390 1 Moxa 1 Thingspro 2024-02-28 5.0 MEDIUM 7.5 HIGH
User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2018-18391 1 Moxa 1 Thingspro 2024-02-28 6.5 MEDIUM 8.8 HIGH
User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2018-10632 1 Moxa 6 Nport 5210, Nport 5210 Firmware, Nport 5230 and 3 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
In Moxa NPort 5210, 5230, and 5232 versions 2.9 build 17030709 and prior, the amount of resources requested by a malicious actor are not restricted, allowing for a denial-of-service condition.
CVE-2018-19659 1 Moxa 2 Nport W2x50a, Nport W2x50a Firmware 2024-02-28 9.0 HIGH 8.8 HIGH
An exploitable authenticated command-injection vulnerability exists in the web server functionality of Moxa NPort W2x50A products with firmware before 2.2 Build_18082311. A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. This is similar to CVE-2017-12120.
CVE-2018-18395 1 Moxa 1 Thingspro 2024-02-28 10.0 HIGH 9.8 CRITICAL
Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2018-18394 1 Moxa 1 Thingspro 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2018-18392 1 Moxa 1 Thingspro 2024-02-28 6.5 MEDIUM 8.8 HIGH
Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.
CVE-2017-12121 1 Moxa 2 Edr-810, Edr-810 Firmware 2024-02-28 9.0 HIGH 8.8 HIGH
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability.