SB20240417126 - Multiple vulnerabilities in Electrolink FM/DAB/TV Transmitter
Published: April 17, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2024-3741)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an authentication bypass in the login cookie. A remote attacker can set an arbitrary value except "NO" to the login cookie and have full system access.
2) Improper Authentication (CVE-ID: CVE-2024-22179)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an unauthenticated parameter manipulation. A remote attacker can set the credentials to blank giving them access to the admin panel.
3) Reliance on Cookies without Validation and Integrity Checking (CVE-ID: CVE-2024-22186)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to reliance on cookies without validation and integrity checking. A remote user can poison the cookie to become administrator.
4) Reliance on Cookies without Validation and Integrity Checking (CVE-ID: CVE-2024-21872)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to reliance on cookies without validation and integrity checking. A remote attacker can bypass authentication and modify the cookie to reveal hidden pages.
5) Missing Authentication for Critical Function (CVE-ID: CVE-2024-21846)
The vulnerability allows a remote attacker to perform a dneial of service (DoS) attack.
The vulnerability exists due to a missing authentication check. A remote attacker can send a specially crafted GET request and cause a denial of service condition on the target system.
6) Missing Authentication for Critical Function (CVE-ID: CVE-2024-1491)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. A remote attacker can overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
7) Cleartext storage of sensitive information (CVE-ID: CVE-2024-3742)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to cleartext storage of sensitive information. A remote attacker can obtain user credentials.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.