Socomec Modulys GP UPS MOD3GP-SY-120K has critical vulnerabilites, won't be patched
Take action: If you are still using SOCOMEC MODULYS GP MOD3GP-SY-120K UPS, isolate network exposure for the management to an isolated network, that's very difficult to be exposed to the outside. Then start budgeting for an upgrade.
Learn More
A critical vulnerablity batch collectively scored CVSS3 10.0 SOCOMEC MODULYS GP MOD3GP-SY-120K UPS. The following Socomec product is affected: MODULYS GP (MOD3GP-SY-120K) with web firmware version v01.12.10.
The successful exploitation of these vulnerabilities can allow attackers to execute malicious JavaScript code, access sensitive information, or steal session cookies.
- CVE-2023-38582 - Cross-Site Scripting (XSS) - An authenticated remote attacker can inject arbitrary JavaScript into the field MAIL_RCV, executing it when a legitimate user accesses the web application
- CVE-2023-39446 - Cross-Site Request Forgery (CSRF) - Weaknesses in user management allow an attacker to originate malicious actions when a legitimate user is logged in
- CVE-2023-41965 - Insecure Storage of Sensitive Information Information can be obtained due to the lack of security in the authentication process
- CVE-2023-41084 - Reliance on Cookies without Validation and Integrity Checking - Attackers can steal session cookies and perform unauthorized actions
- CVE-2023-402215 - Code Injection - Potential attackers can inject malicious code into the MAIL SERVER section, executed when legitimate users access it.
- CVE-2023-39452- Plaintext Storage of a Password - Credentials are stored in plaintext within the user management section
- CVE-2023-38255 - Additional XSS - Attackers can include malicious code when uploading new device configurations, affecting the device's intended function
Socomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product, recommending the use of MODULYS GP2 (M4-S-XXX) instead, which is not affected.
