Security vulnerabilities on PNPSCADA

Avatar

sdg.marinusvz
2024-03-18 13:44
Last Edited 2024-03-18 13:47

This thread has been transcribed from a support call.

I have heard that there are security vulnerabilities on Plug and Play SCADA. Are you aware of that?


Specifically
CVE-2023-1934
and
ICSA-23-131-12

Avatar

sdg.marinusvz
2024-03-18 13:51
Last Edited 2024-03-18 13:53

Yes, those vulnerabilities were via SQL injections in some java server pages on pnpscada.


We have since fixed those sql injection vulnerabilities that existed on version 2.*, and changed the version to 3.*.

More recently there has been another vulnerability report concerning the replayability of URLs, prompting us to add a cookie to the mix, so that people can't just enter urls and take over another person's session. We now require you to enter your credentials again when you cut and paste a URL into another browser. When that vulnerability was fixed, we changed the version to 4.*.

Please log in to post a comment