Pepperl-fuchsCVEs & Vulnerabilities

27 CVEs affecting Pepperl-fuchs products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

wha-gw-f2d2-0-as-z2-eth firmware 9wha-gw-f2d2-0-as-z2-eth 8wha-gw-f2d2-0-as-z2-eth.eip firmware 7wha-gw-f2d2-0-as-z2-eth.eip 6es7506 5es7506 firmware 5es7510-xt firmware 5es7510-xt 5
CVE-2024-5849HIGH

An unauthenticated remote attacker may use a reflected XSS vulnerability to obtain information from a user or reboot the affected device once.

13 Aug 2024
7.1
CVSS
CVE-2024-38502HIGH

An unauthenticated remote attacker may use stored XSS vulnerability to obtain information from a user or reboot the affected device once.

13 Aug 2024
7.1
CVSS
CVE-2024-38501MEDIUM

An unauthenticated remote attacker may use a HTML injection vulnerability with limited length to inject malicious HTML code and gain low-privileged access on the affected device.

13 Aug 2024
6.1
CVSS
CVE-2024-6422CRITICAL

An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data.

10 Jul 2024
9.8
CVSS
CVE-2024-6421HIGH

An unauthenticated remote attacker can read out sensitive device information through a incorrectly configured FTP service.

10 Jul 2024
7.5
CVSS
CVE-2021-34565CRITICAL

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.

31 Aug 2021
9.8
CVSS
CVE-2021-34564MEDIUM

Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the PEPPERL+FUCHS WirelessHART-Gateway 3.0.9.

31 Aug 2021
5.5
CVSS
CVE-2021-34563LOW

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript.

31 Aug 2021
3.3
CVSS
CVE-2021-34562MEDIUM

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 it is possible to inject arbitrary JavaScript into the application's response.

31 Aug 2021
6.1
CVSS
CVE-2021-34561HIGH

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall based access restrictions that may be in place, by proxying through their target's browser.

31 Aug 2021
8.8
CVSS
CVE-2021-34560MEDIUM

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user's computer. Therefore the user must have logged in at least once.

31 Aug 2021
5.5
CVSS
CVE-2021-34559MEDIUM

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings.

31 Aug 2021
5.3
CVSS
CVE-2021-33555HIGH

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.7 the filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server.

31 Aug 2021
7.5
CVSS
CVE-2021-20988HIGH

In Hilscher rcX RTOS versions prios to V2.1.14.1 the actual UDP packet length is not verified against the length indicated by the packet. This may lead to a denial of service of the affected device.

13 May 2021
7.5
CVSS
CVE-2021-20987HIGH

A denial of service and memory corruption vulnerability was found in Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through network or make devices crash without recovery.

16 Feb 2021
8.6
CVSS
CVE-2021-20986HIGH

A Denial of Service vulnerability was found in Hilscher PROFINET IO Device V3 in versions prior to V3.14.0.7. This may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

16 Feb 2021
7.5
CVSS
CVE-2020-12525HIGH

M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.

22 Jan 2021
7.8
CVSS
CVE-2020-12514MEDIUM

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd

22 Jan 2021
4.9
CVSS
CVE-2020-12513HIGH

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.

22 Jan 2021
8.8
CVSS
CVE-2020-12512MEDIUM

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting

22 Jan 2021
5.4
CVSS
CVE-2020-12511HIGH

Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.

22 Jan 2021
8.8
CVSS
CVE-2020-12504CRITICAL

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below has an active TFTP-Service.

15 Oct 2020
9.8
CVSS
CVE-2020-12503HIGH

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below is prone to multiple authenticated command injections.

15 Oct 2020
7.2
CVSS
CVE-2020-12502HIGH

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G-DIN, ICRL-M-16RJ45/4CP-G-DIN FW 1.2.3 and below is prone to unauthenticated device administration.

15 Oct 2020
8.8
CVSS
CVE-2020-12501CRITICAL

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) use undocumented accounts.

15 Oct 2020
9.8
CVSS
CVE-2020-12500CRITICAL

Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) allows unauthenticated device administration.

15 Oct 2020
9.8
CVSS
CVE-2017-5753MEDIUMpoc

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

4 Jan 2018
5.6
CVSS
← PrevPage 1 / 1Next →