Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by elvexys
CVE-2022-4780 (GCVE-0-2022-4780)
Vulnerability from cvelistv5 – Published: 2022-12-28 14:21 – Updated: 2025-04-10 20:31
VLAI
Title
hard coded credentials in elvexys ISOS firmwares
Summary
ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.
Severity
4.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://elvexys.com/products/xpg-gateway-rtu-prot… | release-notes |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:40.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T20:30:46.383689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T20:31:03.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ISOS",
"vendor": "elvexys",
"versions": [
{
"lessThanOrEqual": "2.00",
"status": "affected",
"version": "1.81",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Damian Pfammatter, Cyber-Defense Campus, armasuisse S+T"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger, Cyber-Defense Campus, armasuisse S+T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ISOS firmwares from \u003cb\u003eversions 1.81 to 2.00 \u003c/b\u003econtain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.\u003cbr\u003e"
}
],
"value": "ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T23:29:52.525Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ISOS firmwares from version 2.01 force the user to change the default credentials during the first login.\u003cbr\u003eFor\n ISOS fimwares up to version 2.00, the default credentials must be \nchanged by the user as documented in the \u00ab Initial staging \u00bb and \u00ab User \naccess \u00bb chapters. "
}
],
"value": "ISOS firmwares from version 2.01 force the user to change the default credentials during the first login.\nFor\n ISOS fimwares up to version 2.00, the default credentials must be \nchanged by the user as documented in the \u00ab Initial staging \u00bb and \u00ab User \naccess \u00bb chapters. "
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "hard coded credentials in elvexys ISOS firmwares",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2022-4780",
"datePublished": "2022-12-28T14:21:36.185Z",
"dateReserved": "2022-12-28T09:17:05.953Z",
"dateUpdated": "2025-04-10T20:31:03.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4779 (GCVE-0-2022-4779)
Vulnerability from cvelistv5 – Published: 2022-12-28 14:20 – Updated: 2025-04-10 20:33
VLAI
Title
authentication bypass in elvexys StreamX using StreamView HTML component with public web server feature
Summary
StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme.
StreamX applications using StreamView HTML component with the public web server feature activated are affected.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://elvexys.com/products/xpg-gateway-rtu-prot… | release-notes |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:40.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T20:31:22.212441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T20:33:55.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StreamX",
"vendor": "elvexys",
"versions": [
{
"lessThanOrEqual": "6.04.34",
"status": "affected",
"version": "6.02.01",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Damian Pfammatter, Cyber-Defense Campus, armasuisse S+T"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger, Cyber-Defense Campus, armasuisse S+T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "StreamX applications from \u003cb\u003eversions 6.02.01 to 6.04.34\u003c/b\u003e are affected by a \u003cb\u003elogic bug\u003c/b\u003e that allows to bypass the implemented authentication scheme.\u003cbr\u003eStreamX applications using StreamView HTML component with the public web server feature activated are affected. "
}
],
"value": "StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme.\nStreamX applications using StreamView HTML component with the public web server feature activated are affected. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T23:29:52.525Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade StreamX to version 6.04.35 or above.\u003cbr\u003e"
}
],
"value": "Upgrade StreamX to version 6.04.35 or above.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "authentication bypass in elvexys StreamX using StreamView HTML component with public web server feature",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2022-4779",
"datePublished": "2022-12-28T14:20:49.370Z",
"dateReserved": "2022-12-28T09:16:59.208Z",
"dateUpdated": "2025-04-10T20:33:55.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4778 (GCVE-0-2022-4778)
Vulnerability from cvelistv5 – Published: 2022-12-28 14:20 – Updated: 2025-04-09 18:28
VLAI
Title
path traversal in elvexys StreamX using StreamView HTML component with public web server feature
Summary
StreamX applications from versions 6.02.01 to 6.04.34 are affected by a path traversal vulnerability that allows authenticated users to get unauthorized access to files on the server's filesystem.
StreamX applications using StreamView HTML component with the public web server feature activated are affected.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://elvexys.com/products/xpg-gateway-rtu-prot… | release-notes |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:40.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T17:43:15.836494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T18:28:15.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StreamX",
"vendor": "elvexys",
"versions": [
{
"lessThanOrEqual": "6.04.34",
"status": "affected",
"version": "6.02.01",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Damian Pfammatter, Cyber-Defense Campus, armasuisse S+T"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger, Cyber-Defense Campus, armasuisse S+T"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "StreamX applications from \u003cb\u003eversions 6.02.01 to 6.04.34\u003c/b\u003e are affected by a \u003cb\u003epath traversal vulnerability\u003c/b\u003e that allows authenticated users to get unauthorized access to files on the server\u0027s filesystem.\u003cbr\u003eStreamX applications using StreamView HTML component with the public web server feature activated are affected."
}
],
"value": "StreamX applications from versions 6.02.01 to 6.04.34 are affected by a path traversal vulnerability that allows authenticated users to get unauthorized access to files on the server\u0027s filesystem.\nStreamX applications using StreamView HTML component with the public web server feature activated are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T23:29:52.525Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade StreamX to version 6.04.35 or above.\u003cbr\u003e"
}
],
"value": "Upgrade StreamX to version 6.04.35 or above.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "path traversal in elvexys StreamX using StreamView HTML component with public web server feature",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2022-4778",
"datePublished": "2022-12-28T14:20:24.269Z",
"dateReserved": "2022-12-28T09:16:52.144Z",
"dateUpdated": "2025-04-09T18:28:15.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}