As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

SDS-3008 Series Multiple Web Vulnerabilities

The SDS-3008 Series web server is affected by multiple vulnerabilities. 
-    A remote attacker may disclose unauthorized information or perform a denial-of-service attack.
-    A remote attacker may execute arbitrary script code in the browser of an unsuspecting user.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Cleartext Transmission of Sensitive Information (CWE-319)
CVE-2022-40693
A cleartext transmission vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted network sniffing tool can lead to disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
2 Insufficient Resource Pool (CWE-410)
CVE-2022-40224
A denial-of-service vulnerability exists in the web server functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP message header can lead to a denial-of-service attack. An attacker can send an HTTP request to trigger this vulnerability.
3 Improper Neutralization of Input During Web Page Generation (CWE-79)
CVE-2022-41311, CVE-2022-41312, CVE-2022-41313
A stored cross-site scripting vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP request can lead to arbitrary JavaScript code being executed. An attacker can send an HTTP request to trigger this vulnerability.
4 Information Exposure (CWE-200)
CVE-2022-40691
An information disclosure vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP request can lead to disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
SDS-3008 Series Firmware Version 2.1 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
SDS-3008 Series Please contact Moxa Technical Support for the security patch.

 

Acknowledgment:

We would like to express our appreciation to Cisco Talos team for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Feb 2, 2023

Relevant Products

SDS-3008 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback