An issue was discovered in CIRCONTROL CirCarLife before 4.3. Due to the storage of multiple sensitive information elements in a JSON format at /services/system/setup.json, an authenticated but unprivileged user can exfiltrate critical setup information.

An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository.

An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.

An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.

CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.