Vulnerabilities > Rockwellautomation > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-16 | CVE-2024-6325 | Incorrect Default Permissions vulnerability in Rockwellautomation Factorytalk Policy Manager 6.40.0 The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html and CVE-2022-1161. | 6.5 |
| 2024-07-16 | CVE-2024-6326 | Incorrect Default Permissions vulnerability in Rockwellautomation products An exposure of sensitive information vulnerability exists in the Rockwell Automation FactoryTalk® System Service. | 5.5 |
| 2023-09-12 | CVE-2023-29463 | Improper Authentication vulnerability in Rockwellautomation Pavilion8 The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication. | 5.4 |
| 2023-07-18 | CVE-2023-2913 | Path Traversal vulnerability in Rockwellautomation Thinmanager 13.0.0/13.0.1/13.0.2 An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings. | 6.5 |
| 2023-06-13 | CVE-2023-2638 | Improper Authentication vulnerability in Rockwellautomation products Rockwell Automation's FactoryTalk System Services does not verify that a backup configuration archive is password protected. Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk System Services as a valid backup when a restore procedure takes places. | 5.0 |
| 2023-06-13 | CVE-2023-2639 | Origin Validation Error vulnerability in Rockwellautomation products The underlying feedback mechanism of Rockwell Automation's FactoryTalk System Services that transfers the FactoryTalk Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. | 4.7 |
| 2023-05-11 | CVE-2023-29022 | Cross-site Scripting vulnerability in Rockwellautomation products A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. | 5.9 |
| 2023-05-11 | CVE-2023-29023 | Cross-site Scripting vulnerability in Rockwellautomation products A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. | 6.1 |
| 2023-05-11 | CVE-2023-29024 | Cross-site Scripting vulnerability in Rockwellautomation products A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. | 6.5 |
| 2023-05-11 | CVE-2023-29025 | Cross-site Scripting vulnerability in Rockwellautomation products A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. | 5.9 |