Schneider Electric Modicon Controllers and Software (Update A)

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor : Schneider Electric Equipment : EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect x70, SCADAPack x70 RTUs, and Modicon M580 and M340 control products Vulnerabilities :...

CVE-2020-28219

A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1 and EcoStruxure Geo SCADA Expert 2020 Original release and Monthly Updates to September 2020, from 83.7551....

CVE-2020-28219

A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1 and EcoStruxure Geo SCADA Expert 2020 Original release and Monthly Updates to September 2020, from 83.7551....

CVE-2020-28219

CVE-2020-28219 affects EcoStruxure Geo SCADA Expert 2019 and 2020, with a CWE-522 vulnerability that could expose credentials to server-side users when web users are logged in to Virtual ViewX. Affected versions include EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates throu...

GitHub Security Lab: Java: CWE-522 Insecure basic authentication

This bug was reported directly to GitHub Security Lab...

D-Link 6600-AP XSS / DoS / Information Disclosure Vulnerabilities

Exploit for hardware platform in category web applications Security Advisory - 22/07/2019 Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware version 4.2.0.14. D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described o...

Low severity vulnerability that affects sensu

The sensu rubygem prior to version 1.2.0 contains a CWE-522 Insufficiently Protected Credentials flaw that can result in sensitive configuration data e.g. passwords being logged in clear-text. Users are advised to upgrade to rubygem version 1.2.1 or later...

CVE-2018-8212

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers...

Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass Exploit

Trend Micro IMSVA Management Portal version 9.1.0.1600 suffers from an authentication bypass vulnerability. Title: Trend Micro IMSVA Management Portal Authentication Bypass Advisory ID: KL-001-2018-006 Publication Date: 2018.02.08 Publication URL:...

CVE-2018-1000060

Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redactsensitive that can result in sensitive configuration data e.g. passwords may be logged in clear-text. This attack appear to be exploitabl...

CVE-2018-1000060

Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redactsensitive that can result in sensitive configuration data e.g. passwords may be logged in clear-text. This attack appear to be exploitabl...

Design/Logic Flaw

Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redactsensitive that can result in sensitive configuration data e.g. passwords may be logged in clear-text. This attack appear to be exploitabl...

CVE-2018-1000060

Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b contains a CWE-522 vulnerability in Sensu::Utilities.redactsensitive that can result in sensitive configuration data e.g. passwords may be logged in clear-text. This attack appear to be exploitabl...

CVE-2018-1000060

CVE-2018-1000060 affects Sensu Core prior to 1.2.0 (and before commit 46ff10023e8cbf1b6978838f47c51b20b98fe30b). The root cause is Sensu::Utilities.redact_sensitive() failing to redact sensitive data in deeply nested structures, causing passwords and other credentials to be logged in clear-text i...

Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass

KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass Title: Trend Micro IMSVA Management Portal Authentication Bypass Advisory ID: KL-001-2018-006 Publication Date: 2018.02.08 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt 1. Vulnerabili...

HPE SiteScope contains multiple vulnerabilities

Overview HPE's SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication. Description HPE's SiteScope is vulnerable to several vulnerabilities. The researcher reports that version 11.31.461 is affected; other versions may also be...

WordPress Social-Stream 1.6.0 Twitter API Secret Disclosure

Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Keys CWE-522 :Insufficiently Protected Credentials Products: Wordpress Social Stream Versions 1.6.0 and lower https://codecanyon.net/item/wordpress-social-stream/2201708 Social Network Tabs Versions 1.7.4 and lower...

Sophos Web Appliance Privilege Escalation

Vulnerability Details Affected Vendor: Sophos Affected Product: Web Apppliance Affected Version: v4.2.1.3 Platform: Embedded Linux CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-261: Weak Cryptography for Passwords Impact: Privilege Escalation Attack vector: HTTP 2...

Arris DG1670A Cable Modem Remote Command Execution

Vulnerability Details Affected Vendor: Arris Affected Product: Cable Modem Affected Version: DG1670A, TG1670 Platform: Embedded Linux CWE Classification: CWE-73: External Control of File Name or Path; CWE-77: Improper Neutralization of Special Elements used in a Command; CWE-522: Insufficiently...

Tridium Niagara Vulnerabilities

OVERVIEW --------- Begin Update A Part 1 of 2 -------- This updated advisory is a follow-up to the original advisory titled ICSA-12-228-01 Tridium Niagara Multiple Vulnerabilities that was published August 15, 2012, on the ICS-CERT Web page. It is also a follow-up to ICS-ALERT-12-195-01 Tridium...