View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Moxa Equipment: MXview One, MXview One Central Manager Series Vulnerabilities: Cleartext Storage In A File or On Disk, Path Traversal, Time-of-Check Time-of-Use Race Condition 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to expose local credentials and write arbitrary files to the system, resulting in execution of malicious code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Moxa products are affected: MXview One Series: Versions 1.4.0 and prior MXview One Central Manager Series: Version 1.0.0 3.2 Vulnerability Overview 3.2.1 CLEARTEXT STORAGE IN A FILE OR ON DISK CWE-313 The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused because of sensitive information exposure. CVE-2024-6785 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2024-6785. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N). 3.2.2 PATH TRAVERSAL: '../filedir' CWE-24 The vulnerability allows an attacker to craft MQTT messages that include relative path traversal sequences, enabling…Read More