CVE-2021-20597

CVE-2021-20597

Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network traffic and obtaining credentials when registering user information in the target or changing a password.

Source: CVE-2021-20597

CVE-2021-20598

CVE-2021-20598

Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to lockout a legitimate user by continuously trying login with incorrect password.

Source: CVE-2021-20598

CVE-2021-20594

CVE-2021-20594

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to acquire legitimate user names registered in the module via brute-force attack on user names.

Source: CVE-2021-20594

CVE-2021-36454

CVE-2021-36454

Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backupsbackups.php, 2) blocksblocks.php, 3) brandsbrands.php, 4) commentscomments.php, 5) couponscoupons.php, 6) feedsfeeds.php, 7) functionsfunctions.php, 8) itemsitems.php, 9) menusmenus.php, 10) ordersorders.php, 11) payment_methodspayment_methods.php, 12) productsproducts.php, 13) profilesprofiles.php, 14) shipping_methodsshipping_methods.php, 15) templatestemplates.php, 16) usersusers.php, 17) webdictionarywebdictionary.php, 18) websiteswebsites.php, and 19) webuserswebusers.php because the initial_url function is built in these files.

Source: CVE-2021-36454