Vulnerabilities > Rockwellautomation

DATE CVE VULNERABILITY TITLE RISK
2023-08-17 CVE-2023-2917 Path Traversal vulnerability in Rockwellautomation Thinmanager Thinserver 13.1.0
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability.  Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function.
network
low complexity
rockwellautomation CWE-22
critical
9.8
2023-08-08 CVE-2023-2423 Incorrect Calculation vulnerability in Rockwellautomation Armor Powerflex Firmware 1.003
A vulnerability was discovered in the Rockwell Automation Armor PowerFlex device when the product sends communications to the local event log.
network
low complexity
rockwellautomation CWE-682
7.5
2023-07-18 CVE-2023-2913 Path Traversal vulnerability in Rockwellautomation Thinmanager 13.0.0/13.0.1/13.0.2
An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings.
network
low complexity
rockwellautomation CWE-22
6.5
2023-07-18 CVE-2023-2263 Resource Exhaustion vulnerability in Rockwellautomation Kinetix 5700 Firmware 13.001
The Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing.
network
low complexity
rockwellautomation CWE-400
7.5
2023-07-12 CVE-2023-3595 Out-of-bounds Write vulnerability in Rockwellautomation products
Where this vulnerability exists in the Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages.
network
low complexity
rockwellautomation CWE-787
critical
9.8
2023-07-12 CVE-2023-3596 Out-of-bounds Write vulnerability in Rockwellautomation products
Where this vulnerability exists in the Rockwell Automation 1756-EN4* Ethernet/IP communication products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.
network
low complexity
rockwellautomation CWE-787
7.5
2023-07-11 CVE-2023-2072 Cross-site Scripting vulnerability in Rockwellautomation Powermonitor 1000 Firmware
The Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product.
network
low complexity
rockwellautomation CWE-79
8.8
2023-07-11 CVE-2023-2746 Cross-Site Request Forgery (CSRF) vulnerability in Rockwellautomation Enhanced HIM 1.001
The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack.
network
low complexity
rockwellautomation CWE-352
critical
9.6
2023-06-13 CVE-2023-2637 Use of Hard-coded Credentials vulnerability in Rockwellautomation products
Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies.  Hard-coded cryptographic key may lead to privilege escalation.  This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database.
local
low complexity
rockwellautomation CWE-798
8.2
2023-06-13 CVE-2023-2638 Improper Authentication vulnerability in Rockwellautomation products
Rockwell Automation's FactoryTalk System Services does not verify that a backup configuration archive is password protected.   Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives.  This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk System Services as a valid backup when a restore procedure takes places.
local
low complexity
rockwellautomation CWE-287
5.0