All the vulnerabilites related to Yokogawa Electric Corporation - FAST/TOOLS
cve-2024-4105
Vulnerability from cvelistv5
Published
2024-06-26 05:25
Modified
2024-08-01 20:33
Severity ?
EPSS score ?
Summary
A vulnerability has been found in FAST/TOOLS and CI Server. The affected product's WEB HMI server's function to process HTTP requests has a security flaw (Reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.
The affected products and versions are as follows:
FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04
CI Server R1.01.00 to R1.03.00
References
| ▼ | URL | Tags |
|---|---|---|
| https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Yokogawa Electric Corporation | FAST/TOOLS |
Version: R9.01 < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T17:29:58.387431Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T17:30:23.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "FAST/TOOLS",
"vendor": "Yokogawa Electric Corporation",
"versions": [
{
"lessThanOrEqual": "R10.04",
"status": "affected",
"version": "R9.01",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "CI Server",
"vendor": "Yokogawa Electric Corporation",
"versions": [
{
"lessThanOrEqual": "R1.03.00",
"status": "affected",
"version": "R1.01.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability has been found in FAST/TOOLS and CI Server. The affected product\u0027s WEB HMI server\u0027s function to process HTTP requests has a security flaw (Reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.\u003cbr\u003eThe affected products and versions are as follows:\u003cbr\u003eFAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04\u003cbr\u003eCI Server R1.01.00 to R1.03.00"
}
],
"value": "A vulnerability has been found in FAST/TOOLS and CI Server. The affected product\u0027s WEB HMI server\u0027s function to process HTTP requests has a security flaw (Reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.\nThe affected products and versions are as follows:\nFAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04\nCI Server R1.01.00 to R1.03.00"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T05:25:04.524Z",
"orgId": "7168b535-132a-4efe-a076-338f829b2eb9",
"shortName": "YokogawaGroup"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7168b535-132a-4efe-a076-338f829b2eb9",
"assignerShortName": "YokogawaGroup",
"cveId": "CVE-2024-4105",
"datePublished": "2024-06-26T05:25:04.524Z",
"dateReserved": "2024-04-23T23:06:00.203Z",
"dateUpdated": "2024-08-01T20:33:52.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4106
Vulnerability from cvelistv5
Published
2024-06-26 05:30
Modified
2024-08-01 20:33
Severity ?
EPSS score ?
Summary
A vulnerability has been found in FAST/TOOLS and CI Server. The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.
The affected products and versions are as follows:
FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04
CI Server R1.01.00 to R1.03.00
References
| ▼ | URL | Tags |
|---|---|---|
| https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | Yokogawa Electric Corporation | FAST/TOOLS |
Version: R9.01 < |
||||
|
|||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yokogawa_electric_corporation:fast_tools:r901:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_tools",
"vendor": "yokogawa_electric_corporation",
"versions": [
{
"lessThanOrEqual": "R10.04",
"status": "affected",
"version": "r901",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:yokogawa_electric_corporation:ci_server:r1.01.00:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ci_server",
"vendor": "yokogawa_electric_corporation",
"versions": [
{
"lessThanOrEqual": "R1.03.00",
"status": "affected",
"version": "r1.01.00",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T13:07:16.655100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T13:16:08.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "FAST/TOOLS",
"vendor": "Yokogawa Electric Corporation",
"versions": [
{
"lessThanOrEqual": "R10.04",
"status": "affected",
"version": "R9.01",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "CI Server",
"vendor": "Yokogawa Electric Corporation",
"versions": [
{
"lessThanOrEqual": "R1.03.00",
"status": "affected",
"version": "R1.01.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability has been found in FAST/TOOLS and CI Server. The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.\u003cbr\u003eThe affected products and versions are as follows:\u003cbr\u003eFAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04\u003cbr\u003eCI Server R1.01.00 to R1.03.00"
}
],
"value": "A vulnerability has been found in FAST/TOOLS and CI Server. The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.\nThe affected products and versions are as follows:\nFAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04\nCI Server R1.01.00 to R1.03.00"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-258",
"description": "CWE-258 Empty Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T05:30:33.928Z",
"orgId": "7168b535-132a-4efe-a076-338f829b2eb9",
"shortName": "YokogawaGroup"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://web-material3.yokogawa.com/1/36059/files/YSAR-24-0001-E.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7168b535-132a-4efe-a076-338f829b2eb9",
"assignerShortName": "YokogawaGroup",
"cveId": "CVE-2024-4106",
"datePublished": "2024-06-26T05:30:33.928Z",
"dateReserved": "2024-04-23T23:06:05.616Z",
"dateUpdated": "2024-08-01T20:33:52.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2014-000141
Vulnerability from jvndb
Published
2014-11-28 14:54
Modified
2014-12-10 10:16
Summary
FAST/TOOLS vulnerable to improper restriction of XML external entity references
Details
FAST/TOOLS provided by Yokogawa Electric Corporation contains a vulnerability where XML external entity (XXE) references are not properly restricted (CWE-611).
Timur Yunusov, Alexey Osipov and Ilya Karpov of Positive Technologies reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN54775800/index.html | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7251 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7251 | |
| ICS-CERT ADVISORY | https://ics-cert.us-cert.gov/advisories/ICSA-14-343-01 | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Yokogawa Electric Corporation | FAST/TOOLS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000141.html",
"dc:date": "2014-12-10T10:16+09:00",
"dcterms:issued": "2014-11-28T14:54+09:00",
"dcterms:modified": "2014-12-10T10:16+09:00",
"description": "FAST/TOOLS provided by Yokogawa Electric Corporation contains a vulnerability where XML external entity (XXE) references are not properly restricted (CWE-611).\r\n\r\nTimur Yunusov, Alexey Osipov and Ilya Karpov of Positive Technologies reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000141.html",
"sec:cpe": {
"#text": "cpe:/a:yokogawa:scada_software_%28fast%2ftools%29",
"@product": "FAST/TOOLS",
"@vendor": "Yokogawa Electric Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.4",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:L/AC:H/Au:S/C:P/I:N/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000141",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN54775800/index.html",
"@id": "JVN#54775800",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7251",
"@id": "CVE-2014-7251",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7251",
"@id": "CVE-2014-7251",
"@source": "NVD"
},
{
"#text": "https://ics-cert.us-cert.gov/advisories/ICSA-14-343-01",
"@id": "ICSA-14-343-01",
"@source": "ICS-CERT ADVISORY"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "FAST/TOOLS vulnerable to improper restriction of XML external entity references"
}