Vulnerabilities > Ovarro
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-03 | CVE-2023-36610 | Insufficient Entropy vulnerability in Ovarro products ?The affected TBox RTUs generate software security tokens using insufficient entropy. | 5.9 |
| 2023-07-03 | CVE-2023-36611 | Improper Authorization vulnerability in Ovarro products The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. | 6.5 |
| 2023-07-03 | CVE-2023-3395 | Cleartext Storage of Sensitive Information vulnerability in Ovarro products ?All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. | 6.5 |
| 2023-07-03 | CVE-2023-36608 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Ovarro products The affected TBox RTUs store hashed passwords using MD5 encryption, which is an insecure encryption algorithm. | 6.5 |
| 2023-07-03 | CVE-2023-36609 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Ovarro products The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. | 7.2 |
| 2023-06-29 | CVE-2023-36607 | Missing Authorization vulnerability in Ovarro products The affected TBox RTUs are missing authorization for running some API commands. | 5.3 |
| 2022-07-28 | CVE-2021-22640 | Improper Restriction of Excessive Authentication Attempts vulnerability in Ovarro products An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. | 9.8 |
| 2022-07-28 | CVE-2021-22642 | Resource Exhaustion vulnerability in Ovarro products An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system. | 7.5 |
| 2022-07-28 | CVE-2021-22644 | Use of Hard-coded Credentials vulnerability in Ovarro products Ovarro TBox TWinSoft uses the custom hardcoded user “TWinSoft” with a hardcoded key. | 9.8 |
| 2022-07-28 | CVE-2021-22646 | Unspecified vulnerability in Ovarro products The “ipk” package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in Ovarro TBox, allowing malicious code execution. | 9.8 |