Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-40620

Summary
Assigner-Rockwell
Assigner Org ID-b73dd486-f505-4403-b634-40b078b177f0
Published At-14 Aug, 2024 | 19:58
Updated At-14 Aug, 2024 | 20:30
Rejected At-
Credits

Rockwell Automation Pavilion8® Unencrypted Data Vulnerability via HTTP protocol

CVE-2024-40620 IMPACT A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Rockwell
Assigner Org ID:b73dd486-f505-4403-b634-40b078b177f0
Published At:14 Aug, 2024 | 19:58
Updated At:14 Aug, 2024 | 20:30
Rejected At:
▼CVE Numbering Authority (CNA)
Rockwell Automation Pavilion8® Unencrypted Data Vulnerability via HTTP protocol

CVE-2024-40620 IMPACT A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

Affected Products
Vendor
Rockwell Automation, Inc.Rockwell Automation
Product
Pavilion8®
Default Status
unaffected
Versions
Affected
  • 5.20
Problem Types
TypeCWE IDDescription
CWECWE-311CWE-311 Missing Encryption of Sensitive Data
Type: CWE
CWE ID: CWE-311
Description: CWE-311 Missing Encryption of Sensitive Data
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-37CAPEC-37 Retrieve Embedded Sensitive Data
CAPEC ID: CAPEC-37
Description: CAPEC-37 Retrieve Embedded Sensitive Data
Solutions

Upgrade to v6.0

Configurations
Workarounds

Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html
N/A
Hyperlink: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:PSIRT@rockwellautomation.com
Published At:14 Aug, 2024 | 20:15
Updated At:31 Jan, 2025 | 15:03

CVE-2024-40620 IMPACT A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Rockwell Automation, Inc.
rockwellautomation
>>pavilion8>>5.20.00
cpe:2.3:a:rockwellautomation:pavilion8:5.20.00:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-311SecondaryPSIRT@rockwellautomation.com
CWE-311Primarynvd@nist.gov
CWE ID: CWE-311
Type: Secondary
Source: PSIRT@rockwellautomation.com
CWE ID: CWE-311
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.htmlPSIRT@rockwellautomation.com
Vendor Advisory
Hyperlink: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html
Source: PSIRT@rockwellautomation.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

60Records found
CVE-2020-35587
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.71% / 71.43%
||
7 Day CHG~0.00%
Published-23 Dec, 2020 | 15:19
Updated-04 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique

Action-Not Available
Vendor-mersiven/amersive
Product-solstice_firmwaresolsticen/asolstice_pod_firmware
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2022-4409
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 19.49%
||
7 Day CHG~0.00%
Published-11 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqthorsten/phpmyfaq
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2024-23444
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-4.9||MEDIUM
EPSS-0.07% / 21.25%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 17:26
Updated-04 Apr, 2025 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch elasticsearch-certutil csr fails to encrypt private key

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2022-38658
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-7.7||HIGH
EPSS-0.08% / 23.24%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 18:52
Updated-15 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Server Automation (SA) is affected by a security vulnerability around Notification Service

BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.

Action-Not Available
Vendor-HCL Technologies Ltd.Microsoft Corporation
Product-windowsbigfix_server_automationBigFix Server Automation
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2024-42495
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.1||HIGH
EPSS-0.06% / 17.89%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 22:41
Updated-04 Oct, 2024 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hughes Network Systems WL3000 Missing Encryption of Sensitive Data

Credentials to access device configuration were transmitted using an unencrypted protocol. These credentials would allow read-only access to network configuration information and terminal configuration data.

Action-Not Available
Vendor-echostarHughes Network Systems
Product-fusionhughes_wl3000WL3000 Fusion Software
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2024-38325
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.02% / 4.40%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 15:27
Updated-14 Aug, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Storage Defender information disclosure

IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI could allow a remote attacker to obtain sensitive information, caused by sending network requests over an insecure channel. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

Action-Not Available
Vendor-IBM Corporation
Product-storage_defenderStorage Defender - Resiliency Service
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-27055
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.5||HIGH
EPSS-0.17% / 38.49%
||
7 Day CHG~0.00%
Published-15 Dec, 2020 | 16:07
Updated-04 Aug, 2024 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In isSubmittable and showWarningMessagesIfAppropriate of WifiConfigController.java and WifiConfigController2.java, there is a possible insecure WiFi configuration due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-161378819

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-15340
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.39%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 14:58
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-cloudcnm_secumanagern/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-10273
Matching Score-4
Assigner-Alias Robotics S.L.
ShareView Details
Matching Score-4
Assigner-Alias Robotics S.L.
CVSS Score-7.5||HIGH
EPSS-0.12% / 32.24%
||
7 Day CHG~0.00%
Published-24 Jun, 2020 | 04:55
Updated-16 Sep, 2024 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RVD#2560: Unprotected intellectual property in Mobile Industrial Robots (MiR) controllers

MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data.

Action-Not Available
Vendor-mobile-industrial-roboticsenabled-roboticsuvd-robotsaliasroboticsMobile Industrial Robots A/S
Product-er200mir250_firmwareer200_firmwareer-flex_firmwaremir500mir100_firmwareuvd_robots_firmwareer-oneer-lite_firmwaremir1000_firmwaremir500_firmwaremir200_firmwareer-liteer-flexer-one_firmwareuvd_robotsmir100mir200mir1000mir250MiR100
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2023-31825
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.04% / 9.33%
||
7 Day CHG~0.00%
Published-13 Jul, 2023 | 00:00
Updated-30 Oct, 2024 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue found in Inageya v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Inageya function.

Action-Not Available
Vendor-inageyan/a
Product-inageyan/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
  • Previous
  • 1
  • 2
  • Next
Details not found