As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

PT-G503 Series Multiple Vulnerabilities

PT-G503 Series firmware version v5.2 and prior are affected by multiple vulnerabilities in the old version of jQuery, weak cipher suites, and unsecure web cookies. Using the older jQuery version and weak cipher suites and not setting session cookie attributes properly caused these vulnerabilities. These vulnerabilities could put your security at risk in many ways, such as Cross-site Scripting (XSS) attacks, prototype pollution, data leaks, unauthorized access to user sessions, etc. 


The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) 
CVE-2015-9251, CVE-2020-11022, CVE-2020-11023 (jQuery) 
An attacker located remotely can insert HTML or JavaScript into the system via a web interface. 
2
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) 
CVE-2019-11358 (jQuery) 
An attacker can inject attributes that are used in other components. 
3
Inadequate Encryption Strength (CWE-326) 
CVE-2005-4900 (cipher) 
An attacker may be able to decrypt the data using spoofing attacks. 
4
Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004) 
CVE-2023-4217 (Cookie) 
This vulnerability could cause security risks and allow unauthorized access to user session data. 
5
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) 
CVE-2023-5035 (Cookie) 
This vulnerability could cause the cookie to be transmitted in plaintext over an HTTP session. 

 

Vulnerability Scoring Details

ID CVSS V3.1 VECTOR REMOTE EXPLOIT WITHOUT AUTH?
CVE-2005-4900  5.9  AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N  Yes
CVE-2015-9251  6.1  AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  Yes
CVE-2019-11358  6.1  AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  Yes
CVE-2020-11022  6.9  AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N  Yes
CVE-2020-11023  6.9  AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N  Yes
CVE-2023-4217  3.1  AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  Yes
CVE-2023-5035  3.1  AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  Yes

 

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
PT-G503 Series  Firmware version 5.2 and prior. 
PT-7728 Series Firmware version 3.8 and prior. 
PT-7828 Series Firmware version 3.10 and prior. 

 

Solutions:

For CVE-2005-4900, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023, Moxa has developed appropriate solutions to address the vulnerabilities by updating the jQuery version and removing weak cipher suites. The solutions for affected products are shown below. 

Product Series Solutions
PT-G503 Series Please upgrade to firmware v5.3 or later
PT-7728 Series Please upgrade to firmware v3.9 or later
PT-7828 Series Please upgrade to firmware v4.0 or later

 

Mitigation

The risk levels of CVE-2023-4217 and CVE-2023-5035 are low, and it’s hard to forbidden HTTP connections because HTTP is still required in certain legacy application scenarios. To mitigate these vulnerabilities, users should carefully use HTTP if necessary, and could try to replace HTTP by HTTPS when using the web service. Additionally, refer to the following mitigation measures to deploy the product in an appropriate product security context. 

Moxa recommends users follow CISA recommendations.  

  • Reduce network exposure by ensuring that all control system devices and systems are not accessible from the Internet. 

  • Place control system networks and remote devices behind firewalls, isolating them from business networks. 

  • When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs). It is important to note that VPNs may have vulnerabilities and should be kept up to date with the latest available version. Remember that the security of a VPN depends on the security of its connected devices. 

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Nov 2, 2023 
1.1 Add PT-7728 and PT-7828 Series in Affected Products and Solutions sections Jan 5, 2024

Relevant Products

PT-7728 Series · PT-7828 Series · PT-G503 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback