The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-32962 | The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to cross-site scripting, which may allow an attacker to remotely execute arbitrary code. | MEDIUM | May 24, 2022 |
| CVE-2021-32963 | Null pointer dereference in SuiteLink server while processing commands 0x03/0x10 | MEDIUM | Sep 23, 2021 |
| CVE-2021-32964 | The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to a path traversal attack, which may allow an attacker to read arbitrary files from the file system. | MEDIUM | May 24, 2022 |
| CVE-2021-32965 | Delta Electronics DIAScreen versions prior to 1.1.0 are vulnerable to type confusion, which may allow an attacker to remotely execute arbitrary code. | MEDIUM | May 24, 2022 |
| CVE-2021-32966 | Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials. | MEDIUM | May 25, 2022 |
| CVE-2021-32967 | Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. | HIGH | Sep 3, 2021 |
| CVE-2021-32968 | Two buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O Series firmware version 2.2 or earlier may allow a remote attacker to cause a denial-of-service condition. | MEDIUM | Apr 2, 2022 |
| CVE-2021-32969 | Delta Electronics DIAScreen versions prior to 1.1.0 are vulnerable to an out-of-bounds write condition, which may result in a system crash or allow an attacker to remotely execute arbitrary code. | MEDIUM | May 24, 2022 |
| CVE-2021-32970 | Data can be copied without validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier, which may allow a remote attacker to cause denial-of-service conditions. | HIGH | Apr 2, 2022 |
| CVE-2021-32971 | Null pointer dereference in SuiteLink server while processing command 0x07 | MEDIUM | Sep 23, 2021 |
| CVE-2021-32972 | Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software. | MEDIUM | Jul 9, 2021 |
| CVE-2021-32974 | Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands. | HIGH | Apr 2, 2022 |
| CVE-2021-32975 | Cscape (All Versions prior to 9.90 SP5) lacks proper validation of user-supplied data when parsing project files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute code in the context of the current process. | MEDIUM | Aug 25, 2021 |
| CVE-2021-32976 | Five buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to initiate a denial-of-service attack and execute arbitrary code. | HIGH | Apr 2, 2022 |
| CVE-2021-32977 | AVEVA System Platform versions 2017 through 2020 R2 P01 does not verify, or incorrectly verifies, the cryptographic signature for data. | MEDIUM | Apr 5, 2022 |
| CVE-2021-32978 | The programming protocol allows for a previously entered password and lock state to be read by an attacker. If the previously entered password was successful, the attacker can then use the password to unlock Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00. | MEDIUM | Apr 5, 2022 |
| CVE-2021-32979 | Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a | MEDIUM | Sep 23, 2021 |
| CVE-2021-32980 | Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 does not protect against additional software programming connections. An attacker can connect to the PLC while an existing connection is already active. | HIGH | Apr 5, 2022 |
| CVE-2021-32981 | AVEVA System Platform versions 2017 through 2020 R2 P01 uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. | MEDIUM | Apr 5, 2022 |
| CVE-2021-32982 | Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 passwords are sent as plaintext during unlocking and project transfers. An attacker who has network visibility can observe the password exchange. | MEDIUM | Apr 5, 2022 |
| CVE-2021-32983 | A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\\MSSQLSERVER. | HIGH | Sep 3, 2021 |
| CVE-2021-32984 | All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization. | HIGH | Apr 5, 2022 |
| CVE-2021-32985 | AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. | MEDIUM | Apr 5, 2022 |
| CVE-2021-32986 | After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly. | HIGH | Apr 5, 2022 |
| CVE-2021-32987 | Null pointer dereference in SuiteLink server while processing command 0x0b | MEDIUM | Sep 23, 2021 |
| CVE-2021-32988 | FATEK Automation WinProladder Versions 3.30 and prior are vulnerable to an out-of-bounds write, which may allow an attacker to execute arbitrary code. | HIGH | Jul 2, 2021 |
| CVE-2021-32989 | When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting. | MEDIUM | May 25, 2022 |
| CVE-2021-32990 | FATEK Automation WinProladder Versions 3.30 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code. | HIGH | Jul 2, 2021 |
| CVE-2021-32991 | Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. | MEDIUM | Sep 3, 2021 |
| CVE-2021-32992 | FATEK Automation WinProladder Versions 3.30 and prior do not properly restrict operations within the bounds of a memory buffer, which may allow an attacker to execute arbitrary code. | HIGH | Jul 2, 2021 |
| CVE-2021-32993 | IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard-coded credentials, such as a password or a cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | MEDIUM | Dec 27, 2021 |
| CVE-2021-32994 | Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don\'t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations. | MEDIUM | Apr 5, 2022 |
| CVE-2021-32995 | Cscape (All Versions prior to 9.90 SP5) lacks proper validation of user-supplied data when parsing project files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute code in the context of the current process. | MEDIUM | Aug 25, 2021 |
| CVE-2021-32996 | The FANUC R-30iA and R-30iB series controllers are vulnerable to integer coercion errors, which cause the device to crash. A restart is required. | HIGH | Jan 13, 2022 |
| CVE-2021-32997 | The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access. | MEDIUM | May 25, 2022 |
| CVE-2021-32998 | The FANUC R-30iA and R-30iB series controllers are vulnerable to an out-of-bounds write, which may allow an attacker to remotely execute arbitrary code. INIT START/restore from backup required. | HIGH | Jan 13, 2022 |
| CVE-2021-32999 | Improper handling of exceptional conditions in SuiteLink server while processing command 0x01 | MEDIUM | Sep 23, 2021 |
| CVE-2021-33000 | Parsing a maliciously crafted project file may cause a heap-based buffer overflow, which may allow an attacker to perform arbitrary code execution. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior). | MEDIUM | Jun 24, 2021 |
| CVE-2021-33001 | xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘bdate’ of the resource xhisvalue.htm, which may allow an unauthorized attacker to execute arbitrary code. | MEDIUM | May 16, 2022 |
| CVE-2021-33002 | Opening a maliciously crafted project file may cause an out-of-bounds write, which may allow an attacker to execute arbitrary code. User interaction is require on the WebAccess HMI Designer (versions 2.1.9.95 and prior). | MEDIUM | Jun 24, 2021 |
| CVE-2021-33003 | Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to retrieve passwords in cleartext due to a weak hashing algorithm. | LOW | Sep 3, 2021 |
| CVE-2021-33004 | The affected product is vulnerable to memory corruption condition due to lack of proper validation of user supplied files, which may allow an attacker to execute arbitrary code. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior). | MEDIUM | Jun 24, 2021 |
| CVE-2021-33005 | mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories. | MEDIUM | May 13, 2022 |
| CVE-2021-33007 | A heap-based buffer overflow in Delta Electronics TPEditor: v1.98.06 and prior may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code. | MEDIUM | Sep 3, 2021 |
| CVE-2021-33008 | AVEVA System Platform versions 2017 through 2020 R2 P01 does not perform any authentication for functionality that requires a provable user identity. | HIGH | Apr 5, 2022 |
| CVE-2021-33009 | mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to the file system. | MEDIUM | May 13, 2022 |
| CVE-2021-33010 | An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition. | MEDIUM | Apr 5, 2022 |
| CVE-2021-33011 | All versions of the afffected TOYOPUC-PC10 Series,TOYOPUC-Plus Series,TOYOPUC-PC3J/PC2J Series, TOYOPUC-Nano Series products may not be able to properly process an ICMP flood, which may allow an attacker to deny Ethernet communications between affected devices. | LOW | Sep 10, 2021 |
| CVE-2021-33012 | Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. If successfully exploited, this vulnerability will cause the controller to fault whenever the controller is switched to RUN mode. | MEDIUM | Jul 9, 2021 |
| CVE-2021-33013 | mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive system information. | MEDIUM | May 13, 2022 |
