Loytec L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels Cleartext Transmission of Sensitive Information Vulnerability

2023-11-03

 

CVE ID CVE-2023-46382
Severity High
Affected Vendors LOYTEC electronics GmbH
Affected Products LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3
Vulnerability Details Authentication is missing on the web user interface for the preinstalled version of LWEB-802. If there is a project on a device, an unauthenticated user could create a new project on a web and access/control a grThe web user interface on Loytec devices requires login credentials for critical information (Data, Commission, Config, etc…); however, username and password information is sent in clear text over HTTP. If anyone sniff network traffic, they could easily steal credentials.
Solutions & Rules N/A
Credit Chizuru Toyama of TXOne Networks