Vulnerabilities > Iconics > Mobilehmi
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-21 | CVE-2022-23127 | Cross-site Scripting vulnerability in multiple products Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. | 6.1 |
| 2022-01-21 | CVE-2022-23128 | Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products. | 9.8 |
| 2020-07-16 | CVE-2020-12015 | Deserialization of Untrusted Data vulnerability in multiple products A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. | 7.5 |
| 2020-07-16 | CVE-2020-12013 | SQL Injection vulnerability in multiple products A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. | 9.1 |
| 2020-07-16 | CVE-2020-12007 | Deserialization of Untrusted Data vulnerability in multiple products A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. | 9.8 |
| 2020-07-16 | CVE-2020-12009 | Deserialization of Untrusted Data vulnerability in multiple products A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. | 7.5 |
| 2020-07-16 | CVE-2020-12011 | Out-of-bounds Write vulnerability in multiple products A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. | 9.8 |