MidnightBSD

Advisories for doverfuelingsolutions

CVE-2023-36497

Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 could allow a guest user to elevate to admin privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
ics-cert@hq.dhs.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.1
doverfuelingsolutions maglink_lx_web_console_configuration 3.2
doverfuelingsolutions maglink_lx_web_console_configuration 2.11
doverfuelingsolutions maglink_lx_web_console_configuration 3.0
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.3
doverfuelingsolutions maglink_lx_web_console_configuration 2.6.1
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.2
doverfuelingsolutions maglink_lx_web_console_configuration 3.3
CVE-2023-38256

Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 vulnerable to a path traversal attack, which could allow an attacker to access files stored on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 2.3 4.0
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.1
doverfuelingsolutions maglink_lx_web_console_configuration 3.2
doverfuelingsolutions maglink_lx_web_console_configuration 2.11
doverfuelingsolutions maglink_lx_web_console_configuration 3.0
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.3
doverfuelingsolutions maglink_lx_web_console_configuration 2.6.1
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.2
doverfuelingsolutions maglink_lx_web_console_configuration 3.3
CVE-2023-41256

Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 are vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
ics-cert@hq.dhs.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.1
doverfuelingsolutions maglink_lx_web_console_configuration 3.2
doverfuelingsolutions maglink_lx_web_console_configuration 2.11
doverfuelingsolutions maglink_lx_web_console_configuration 3.0
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.3
doverfuelingsolutions maglink_lx_web_console_configuration 2.6.1
doverfuelingsolutions maglink_lx_web_console_configuration 2.5.2
doverfuelingsolutions maglink_lx_web_console_configuration 3.3
CVE-2024-41725

ProGauge MAGLINK LX CONSOLE does not have sufficient filtering on input fields that are used to render pages which may allow cross site scripting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
doverfuelingsolutions progauge_maglink_lx4_console_firmware *
doverfuelingsolutions progauge_maglink_lx_console_firmware *
CVE-2024-43423

The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
doverfuelingsolutions progauge_maglink_lx4_console_firmware *
doverfuelingsolutions progauge_maglink_lx_console_firmware *
CVE-2024-43692

An attacker can directly request the ProGauge MAGLINK LX CONSOLE resource sub page with full privileges by requesting the URL directly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
doverfuelingsolutions progauge_maglink_lx4_console_firmware *
doverfuelingsolutions progauge_maglink_lx_console_firmware *
CVE-2024-43693

A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
doverfuelingsolutions progauge_maglink_lx4_console_firmware *
doverfuelingsolutions progauge_maglink_lx_console_firmware *
CVE-2024-45066

A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
doverfuelingsolutions progauge_maglink_lx4_console_firmware *
doverfuelingsolutions progauge_maglink_lx_console_firmware *
CVE-2024-45373

Once logged in to ProGauge MAGLINK LX4 CONSOLE, a valid user can change their privileges to administrator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
ics-cert@hq.dhs.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
doverfuelingsolutions progauge_maglink_lx4_console_firmware *
doverfuelingsolutions progauge_maglink_lx_console_firmware *