Vulnerabilities > Honeywell

DATE CVE VULNERABILITY TITLE RISK
2020-06-26 CVE-2020-10628 Cleartext Transmission of Sensitive Information vulnerability in Honeywell Controledge PLC Firmware and Controledge RTU Firmware
ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R140, R150, and R151) exposes unencrypted passwords on the network.
network
low complexity
honeywell CWE-319
5.0
2020-06-26 CVE-2020-10624 Cleartext Transmission of Sensitive Information vulnerability in Honeywell Controledge PLC Firmware and Controledge RTU Firmware
ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R140, R150, and R151) exposes a session token on the network.
network
low complexity
honeywell CWE-319
5.0
2020-04-07 CVE-2020-6974 Path Traversal vulnerability in Honeywell Notifier Webserver 3.50
Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which allows an attacker to bypass access to restricted directories.
network
low complexity
honeywell CWE-22
7.5
2020-03-24 CVE-2020-6982 Injection vulnerability in Honeywell Win-Pak 4.7.2
In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may allow remote code execution.
low complexity
honeywell CWE-74
5.8
2020-03-24 CVE-2020-6978 Unspecified vulnerability in Honeywell Win-Pak 4.7.2
In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable due to the usage of old jQuery libraries.
network
low complexity
honeywell
6.4
2020-03-24 CVE-2020-7005 Cross-Site Request Forgery (CSRF) vulnerability in Honeywell Win-Pak 4.7.2
In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code.
network
honeywell CWE-352
6.8
2020-03-24 CVE-2020-6972 Authentication Bypass BY Capture-Replay vulnerability in Honeywell Notifier Webserver 3.50
In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Server’s authentication may be bypassed by a capture-replay attack from a web browser.
network
low complexity
honeywell CWE-294
6.4
2020-02-20 CVE-2020-6968 Improper Privilege Management vulnerability in Honeywell Inncom Inncontrol Firmware 3.0/3.21
Honeywell INNCOM INNControl 3 allows workstation users to escalate application user privileges through the modification of local configuration files.
local
low complexity
honeywell CWE-269
4.6
2020-01-22 CVE-2020-6960 SQL Injection vulnerability in Honeywell products
The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch contain an SQL injection vulnerability that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges.
network
low complexity
honeywell CWE-89
7.5
2020-01-22 CVE-2020-6959 Deserialization of Untrusted Data vulnerability in Honeywell products
The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch are vulnerable to an unsafe deserialization of untrusted data.
network
low complexity
honeywell CWE-502
7.5