Yesterday the DHS ICS-CERT published an alert for publicly disclosed control system vulnerabilities in the BINOM3 Electric Power Quality Meter. The vulnerabilities had previously been disclosed to ICS-CERT by Karn Ganeshen, but ICS-CERT has not been able to get a response from BINOM3 about the vulnerabilities.
The reported vulnerabilities include:
• Reflected and stored Cross-site Scripting;
• Clear Text Passwords;
• Sensitive information leakage in GET request; and
• Access Control Issues
These are the same vulnerabilities that I reported on Saturday.