CVE-2021-22813

CVE-2021-22813 is a Cross‑Site Scripting (CWE-79) vulnerability affecting Schneider Electric NMC/NMC2/NMC3 devices across UPS, PDU, and related network cards. A privileged user can trigger arbitrary script execution by clicking a malicious URL referencing an edit policy file. The connected docume...

CVE-2021-22812

CVE-2021-22812 is a Cross-Site Scripting (CWE-79) vulnerability affecting Schneider Electric NMC/NMC2/NMC3 embedded devices and related UPS, PDU, and cooling products. Affected items include NMC2/NMC3 applications across various AP9630/9631/9635/9640/9641/9643 series and related RPDU2G, RPP, XRDP...

CVE-2021-22811

A CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists that could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted. Affected Products: 1-Phase Uninterruptible Power Supply UP...

CVE-2021-22811

CVE-2021-22811 is a cross-site scripting vulnerability in Schneider Electric NMC/NMC2/NMC3 web interfaces. The issue could permit arbitrary script execution when a privileged user accesses a vulnerable web page or when a malicious URL crafted for the NMC is used. Affected products span multiple S...

CVE-2021-22810

A CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists that could cause arbritrary script execution when a privileged account clicks on a malicious URL specifically crafted for the NMC pointing to a delete policy file. Affected Products:...

Universal Plug and Play (UPnP): What You Need to Know

Universal Plug and Play UPnP is a widely used protocol with a decade-long history of flawed implementations across a wide range of consumer devices. In this paper, we will cover how these aws are still present on devices, how these vulnerabilities are actively being abused, and how a...

Defending the Supply Chain: Why the DDS Protocol is Critical in Industrial and Software Systems

In 2021, a team of researchers from Trend Micro Research, TXOne, ADLINK, Alias Robotics, and ZDI looked into the Data Distribution Service DDS standard and its implementations from a security angle. The full findings of this research will be presented in the S4X22 Conference in April 2022...

TrickBot Crashes Security Researchers’ Browsers in Latest Upgrade

Trojan titan TrickBot has added a striking anti-debugging feature that detects security analysis and crashes researcher browsers before its malicious code can be analyzed. The new anti-debugging feature was discovered by Security Intelligence analysts with IBM, who reported the emergence of a...

Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce

Description The password-generation algorithm used in the function NewPassword simply adds bias to the output password instead of making it easier to remember. Proof of Concept - Use the NewPassword function a large amount of times and store the output. - Look at the frequency of each character o...

Ubiquitous Linux Bug: ‘An Attacker’s Dream Come True’

UPDATE Every major Linux distribution has an easily exploited memory-corruption bug that’s been lurking for 12 years – a stunning revelation that’s likely to be followed soon by in-the-wild exploits, researchers warn. Successful exploitation gives full root access to any unprivileged user. The...

Open Subtitles breach: The dangers of password reuse

Popular website Open Subtitles has been breached. The impact so far: almost seven million accounts “breached and ransomed” back in August. New breach: Open Subtitles had almost 7M accounts breached and ransomed in Aug. Data included email and IP addresses, usernames and unsalted MD5 password...

Medium: krb5

Issue Overview: A flaw was found in krb5. The Key Distribution Center KDC in MIT Kerberos 5 has a NULL pointer dereference via a FAST inner body that lacks a server field. An authenticated attacker could use this flaw to crash the Kerberos KDC server. The highest threat from this vulnerability is...

Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware

Potential connections between a subscription-based crimeware-as-a-service CaaS solution and a cracked copy of Cobalt Strike have been established in what the researchers suspect is being offered as a tool for its customers to stage post-exploitation activities. Prometheus, as the service is calle...

ZOHO ManageEngine Desktop Central Licensing Issue Vulnerability

ZOHO ManageEngine Desktop Central DC is a desktop management solution from ZOHO, Inc. The solution includes software distribution, patch management, system configuration, remote control and other functional modules to support the entire lifecycle of desktop and server management...

ZOHO ManageEngine Desktop Centra Remote Code Execution Vulnerability

ZOHO ManageEngine Desktop Central DC is a desktop management solution from ZOHO, Inc. The solution includes software distribution, patch management, system configuration, remote control, and other functional modules to support the entire lifecycle of desktop and server management. properly...

CVE-2022-21682 flatpak-builder can access files outside the build directory.

Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies finish-args last in the build. At this point the build directory will have the full access that is specified in the...

GHSA-QC9X-GJCV-465W Pipenv's requirements.txt parsing allows malicious index url in comments

Issue Summary Due to a flaw in pipenv's parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file e.g. with "pipenv install -r requirements.txt...

[WP-H2] NonUSTStrategy.sol Improper handling of swap fees allows attacker to steal funds from other users

Handle WatchPug Vulnerability details NonUSTStrategy will swap the deposited non-UST assets into UST before depositing to EthAnchor. However, the swap fee is not attributed to the depositor correctly like many other yield farming vaults involving swaps ZapIn. An attacker can exploit it for the sw...

wring distribution of debts

Handle danb Vulnerability details redeemAmount should be deductionFromIndex multiplied by shareOfIndex, not divided. this would lead to a wrong distribution of payments. --- The text was updated successfully, but these errors were encountered: All reactions...

firefox security update

91.5.0-1.0.2 - Enabled aarch64 builds 91.5.0-1.0.1 - Remove upstream references Orabug: 30143292 - Update distribution for Oracle Linux Orabug: 30143292 - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file 91.5.0-1 - Update to 91.5.0 build1...