All legitimate local Microsoft Windows users can read or modify files that are located in the working directory of the affected CODESYS products, even if they are executed under a different user or in the system context.
The CODESYS OPC UA stack of the CODESYS Control runtime system may incorrectly calculate the required buffer size for received requests/responses. This can lead to a crash of the CODESYS runtime system during the subsequent initialization of the receive buffer with zero.
Update: 10.07.2024 In the Remediation section, the release date of the update has been deleted as the update is now available.
moneo "Forgot Password" function has a vulnerability which allows gaining privileged access.
The WAGO Navigator versions 1.0.1 and 1.0 are vulnerable due to the use of the WiX toolset version 3.11.2.
The following vulnerabilities are published with reference to CODESYS Advisory 2023-05, CODESYS Advisory 2023-06 and CODESYS Advisory 2023-09
Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers.
Update: credis have been updated
Local attackers can cause affected CODESYS Development System V2.3 installations to crash or execute code by opening malicious project files.
The CODESYS Development System V2.3 is an IEC 61131-3 programming tool for the industrial controller and automation technology sector. It stores the program code for the controller and its configuration in project files (*.pro).
Welotec has been informed by an external source that the WebUI of the device management solution "SMART EMS" and the remote connectivity solution "VPN Security Suite" is vulnerable to so-called "Clickjacking" and advises to update to version v3.1.4 or later.