Subnet Solutions Inc. PowerSYSTEM Center

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Subnet Solutions Inc. Equipment: PowerSYSTEM Center Vulnerability: Unquoted Search Path or Element 2. RISK EVALUATION Successful exploitation of this vulnerability could result in an attacker achieving arbitrary...

Privilege escalation vulnerability in Node.js 20 could allow loading arbitrary OpenSSL engines when the experimental permission model is enabled (CVE-2023-30586).

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine API can be used to bypass...

Siemens SCALANCE and RUGGEDCOM M-800/S615 Family

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories CERT Services | Services |...

Mitsubishi Electric FA Engineering Software Products

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION : Low attack complexity Vendor : Mitsubishi Electric Equipment : FA Engineering Software Products Vulnerability : External Control of File Name or Path 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a malicious...

Rockwell Automation FactoryTalk Linx

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.2 ATTENTION : Exploitable remotely/low attack complexity Vendor : Rockwell Automation Equipment : FactoryTalk Linx Vulnerability : Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to information...

Pleroma Path Traversal vulnerability

A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argument name leads to path traversal. The complexity of an attack is rather high. The exploitability is...

Path traversal

A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argument name leads to path traversal. The complexity of an attack is rather high. The exploitability is...

PT-2023-32198 · Unknown · Kphrx Pleroma

Name of the Vulnerable Software and Affected Versions: kphrx pleroma affected versions not specified Description: A vulnerability was found in kphrx pleroma, classified as problematic. It affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argume...

GHSA-RQ36-9F5F-2GW7 Magento Open Source allows SQL Injection

Adobe Commerce versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier and 2.4.4-p5 and earlier are affected by an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability that could lead in arbitrary code execution by an admin-privileg...

GHSA-GGR8-3HWX-4F2M Magento Open Source allows SQL Injection

Adobe Commerce versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier and 2.4.4-p5 and earlier are affected by an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability that could lead in arbitrary code execution by an admin-privileg...

CVE-2023-38249

Adobe Commerce versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier and 2.4.4-p5 and earlier are affected by an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability that could lead in arbitrary code execution by an admin-privileg...

CVE-2023-38249 Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Adobe Commerce versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier and 2.4.4-p5 and earlier are affected by an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability that could lead in arbitrary code execution by an admin-privileg...

Mitsubishi Electric FA Engineering Software (Update A)

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.3 ATTENTION : Low attack complexity Vendor : Mitsubishi Electric Equipment : FA Engineering Software Products Vulnerability : Incorrect Default Permissions 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a local attacker to...

Omron Engineering Software

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION : Low attack complexity Vendor : Omron Equipment : Sysmac Studio Vulnerability : Improper Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS...

Design/Logic Flaw

A vulnerability classified as problematic was found in Supcon InPlant SCADA up to 20230901. Affected by this vulnerability is an unknown functionality of the file Project.xml. The manipulation leads to password hash with insufficient computational effort. Local access is required to approach this...

CVE-2023-4986 Supcon InPlant SCADA Project.xml unknown vulnerability

A vulnerability classified as problematic was found in Supcon InPlant SCADA up to 20230901. Affected by this vulnerability is an unknown functionality of the file Project.xml. The manipulation leads to password hash with insufficient computational effort. Local access is required to approach this...

Hitachi Energy AFF66x

1. EXECUTIVE SUMMARY ​CVSS v3 9.6 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: Hitachi Energy ​Equipment: AFF66x ​Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values, Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled Resource...

Trane Thermostats

1. EXECUTIVE SUMMARY ​CVSS v3 6.8 ​ATTENTION: Low attack complexity ​Vendor: Trane ​Equipment: XL824, XL850, XL1050, and Pivot thermostats ​Vulnerability: Injection 2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root...

What's New in CVSS v4

The pending update to the Common Common Vulnerability Scoring System CVSS, version 4.0, has garnered a noticeable volume of articles, blog posts and watercooler now known as Slack and Zoom air time. Reaction from the community has been positive, with general sentiment pinned somewhere near...

​Siemens JT Open, JT Utilities, and Parasolid

​​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories CERT Services | Services ...