var-202201-0605
Vulnerability from variot
Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. Mitsubishi Electric MC Works64 and ICONICS MobileHMI Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. An attacker could exploit this vulnerability to execute JavaScript code on the client side
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202201-0605", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "mobilehmi", "scope": "lte", "trust": 1.0, "vendor": "iconics", "version": "10.96.2" }, { "model": "mc works64", "scope": "lt", "trust": 1.0, "vendor": "mitsubishielectric", "version": "10.95.210.01" }, { "model": "mc works64", "scope": "lte", "trust": 0.8, "vendor": "\u4e09\u83f1\u96fb\u6a5f", "version": "4.04e (10.95.210.01) and earlier" }, { "model": "mobilehmi", "scope": null, "trust": 0.8, "vendor": "iconics", "version": null }, { "model": "electric mc works64", "scope": "lt", "trust": 0.6, "vendor": "mitsubishi", "version": "10.95.210.01" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "NVD", "id": "CVE-2022-23127" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:iconics:mobilehmi:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "10.96.2", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "10.95.210.01", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-23127" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "ICONICS and Mitsubishi Electric reported these vulnerabilities to CISA.", "sources": [ { "db": "CNNVD", "id": "CNNVD-202201-1854" } ], "trust": 0.6 }, "cve": "CVE-2022-23127", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": true, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Medium", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.3, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2022-23127", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "id": "CNVD-2022-08219", "impactScore": 2.9, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitabilityScore": 2.8, "impactScore": 2.7, "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "trust": 1.0, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 6.1, "baseSeverity": "Medium", "confidentialityImpact": "Low", "exploitabilityScore": null, "id": "CVE-2022-23127", "impactScore": null, "integrityImpact": "Low", "privilegesRequired": "None", "scope": "Changed", "trust": 0.8, "userInteraction": "Required", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-23127", "trust": 1.8, "value": "MEDIUM" }, { "author": "CNVD", "id": "CNVD-2022-08219", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202201-1854", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2022-23127", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "VULMON", "id": "CVE-2022-23127" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "CNNVD", "id": "CNNVD-202201-1854" }, { "db": "NVD", "id": "CVE-2022-23127" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL. Mitsubishi Electric MC Works64 and ICONICS MobileHMI Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. An attacker could exploit this vulnerability to execute JavaScript code on the client side", "sources": [ { "db": "NVD", "id": "CVE-2022-23127" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "VULMON", "id": "CVE-2022-23127" } ], "trust": 2.25 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-23127", "trust": 3.9 }, { "db": "ICS CERT", "id": "ICSA-22-020-01", "trust": 2.5 }, { "db": "JVN", "id": "JVNVU95403720", "trust": 2.5 }, { "db": "JVNDB", "id": "JVNDB-2022-003885", "trust": 0.8 }, { "db": "CNVD", "id": "CNVD-2022-08219", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0311", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012109", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202201-1854", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2022-23127", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "VULMON", "id": "CVE-2022-23127" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "CNNVD", "id": "CNNVD-202201-1854" }, { "db": "NVD", "id": "CVE-2022-23127" } ] }, "id": "VAR-202201-0605", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" } ], "trust": 1.6 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "ICS" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" } ] }, "last_update_date": "2024-02-13T22:46:25.837000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Top\u00a0Page Mitsubishi Electric Mitsubishi\u00a0Electric\u00a0Corporation", "trust": 0.8, "url": "https://iconics.com/" }, { "title": "Patch for Mitsubishi Electric MC Works64 Cross-Site Scripting Vulnerability", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchinfo/show/317286" }, { "title": "Mitsubishi Electric MC Works64 Fixes for cross-site scripting vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=179842" }, { "title": "CVE-2022-XXXX", "trust": 0.1, "url": "https://github.com/alphabugx/cve-2022-23305 " }, { "title": "CVE-2022-XXXX", "trust": 0.1, "url": "https://github.com/alphabugx/cve-2022-rce " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "VULMON", "id": "CVE-2022-23127" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "CNNVD", "id": "CNNVD-202201-1854" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-79", "trust": 1.0 }, { "problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "NVD", "id": "CVE-2022-23127" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.8, "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01" }, { "trust": 1.7, "url": "https://jvn.jp/vu/jvnvu95403720/index.html" }, { "trust": 1.7, "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23127" }, { "trust": 1.2, "url": "https://vigilance.fr/vulnerability/iconics-genesis64-four-vulnerabilities-37339" }, { "trust": 0.8, "url": "https://jvn.jp/vu/jvnvu95403720/" }, { "trust": 0.8, "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0311" }, { "trust": 0.6, "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012109" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/79.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://github.com/alphabugx/cve-2022-23305" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "VULMON", "id": "CVE-2022-23127" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "CNNVD", "id": "CNNVD-202201-1854" }, { "db": "NVD", "id": "CVE-2022-23127" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "VULMON", "id": "CVE-2022-23127" }, { "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "db": "CNNVD", "id": "CNNVD-202201-1854" }, { "db": "NVD", "id": "CVE-2022-23127" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-03T00:00:00", "db": "CNVD", "id": "CNVD-2022-08219" }, { "date": "2022-01-21T00:00:00", "db": "VULMON", "id": "CVE-2022-23127" }, { "date": "2023-03-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "date": "2022-01-20T00:00:00", "db": "CNNVD", "id": "CNNVD-202201-1854" }, { "date": "2022-01-21T19:15:09.913000", "db": "NVD", "id": "CVE-2022-23127" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-03T00:00:00", "db": "CNVD", "id": "CNVD-2022-08219" }, { "date": "2022-01-27T00:00:00", "db": "VULMON", "id": "CVE-2022-23127" }, { "date": "2023-03-10T03:26:00", "db": "JVNDB", "id": "JVNDB-2022-003885" }, { "date": "2022-02-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202201-1854" }, { "date": "2022-01-27T20:03:06.297000", "db": "NVD", "id": "CVE-2022-23127" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202201-1854" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Mitsubishi Electric MC Works64 Cross-Site Scripting Vulnerability", "sources": [ { "db": "CNVD", "id": "CNVD-2022-08219" }, { "db": "CNNVD", "id": "CNNVD-202201-1854" } ], "trust": 1.2 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "XSS", "sources": [ { "db": "CNNVD", "id": "CNNVD-202201-1854" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.