The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of GENESIS32

vulnerability alert CVE-2016-2289

ICONICS WebHMI: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of ICONICS WebHMI, in order to read a file outside the service root path.
Impacted products: GENESIS32, GENESIS64.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 01/04/2016.
Identifiers: CVE-2016-2289, ICSA-16-091-01, VIGILANCE-VUL-19281.

Description of the vulnerability

The ICONICS WebHMI product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories of ICONICS WebHMI, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-0758

ICONICS GENESIS32: code execution via IcoLaunch.dll

Synthesis of the vulnerability

An attacker can invite the victim to display an HTML page calling IcoLaunch.dll of ICONICS GENESIS32, in order to execute code on his computer.
Impacted products: GENESIS32.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 20/02/2014.
Identifiers: BID-65706, CVE-2014-0758, ICSA-14-051-01, VIGILANCE-VUL-14287.

Description of the vulnerability

The ICONICS GENESIS32 product installs the IcoLaunch.dll ActiveX, which is used to start an application.

However, this ActiveX can be instantiated from Internet Explorer.

An attacker can therefore invite the victim to display an HTML page calling IcoLaunch.dll of ICONICS GENESIS32, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-3018

ICONICS GENESIS32: privilege elevation via Security Configurator

Synthesis of the vulnerability

A local attacker can use a vulnerability of ICONICS GENESIS32 and BizViz applications, in order to elevate his privileges.
Impacted products: GENESIS32.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 31/07/2012.
Identifiers: BID-54732, CVE-2012-3018, ICSA-12-212-01, VIGILANCE-VUL-11809.

Description of the vulnerability

The access to ICONICS GENESIS32/BizViz requires a user account.

When an account is locked, it cannot be used to log in. A challenge-response operation is then required to enable the account. However, an attacker can bypass the challenge, and then log in on Security Configurator as an administrator.

A local attacker can therefore use a vulnerability of ICONICS GENESIS32 and BizViz applications, in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.