Vulnerabilities > Siemens

DATE CVE VULNERABILITY TITLE RISK
2016-01-30 CVE-2016-1488 Cross-site Scripting vulnerability in Siemens Ozw672 Firmware and Ozw772 Firmware
Cross-site scripting (XSS) vulnerability in the login form in the integrated web server on Siemens OZW OZW672 devices before 6.00 and OZW772 devices before 6.00 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
network
low complexity
siemens CWE-79
6.1
2016-01-26 CVE-2015-7974 Improper Authentication vulnerability in multiple products
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
network
low complexity
ntp siemens netapp debian CWE-287
7.7
2014-06-05 CVE-2014-0224 Inadequate Encryption Strength vulnerability in multiple products
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
7.4
2014-04-07 CVE-2014-0160 Out-of-bounds Read vulnerability in multiple products
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
7.5
2010-07-22 CVE-2010-2772 Use of Hard-coded Credentials vulnerability in Siemens Simatic PCS 7 and Simatic Wincc
Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm, a different vulnerability than CVE-2010-2568.
local
low complexity
siemens CWE-798
7.8
2003-04-22 CVE-2002-1484 Server-Side Request Forgery (SSRF) vulnerability in Siemens Db4Web 3.4/3.6
DB4Web server, when configured to use verbose debug messages, allows remote attackers to use DB4Web as a proxy and attempt TCP connections to other systems (port scan) via a request for a URL that specifies the target IP address and port, which produces a connection status in the resulting error message.
network
low complexity
siemens CWE-918
critical
9.8