LS ELECTRIC PLC and XG5000 (Update A)

1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity Vendor : LS ELECTRIC, LS Industrial Systems LSIS Co. Ltd Equipment: LS ELEC PLC and XG5000 Vulnerability: Inadequate Encryption Strength 2. UPDATE This updated advisory is a follow-up to the original advisory...

A malicious delegatee can always block the delegator from undelegating the lock

Lines of code Vulnerability details Impact A user who has delegated his/hers voting power to a delegatee can break his/hers delegate only by submitting a lock with a higher expiration time than the delegatee after a successful call to increaseUnlockTime function. After that, he has to call the...

Questions for Confluence App Default Credentials (CVE-2022-26138)

The remote confluence web application uses a known set of hard-coded default credentials of the 'Questions for Confluence' marketplace application. An attacker can exploit this to gain administrative access to the remote host. C Tenable, Inc. include'compat.inc'; if description scriptid164091;...

CVE-2022-2769

A vulnerability, which was classified as problematic, has been found in SourceCodester Company Website CMS. This issue affects some unknown processing of the file /dashboard/contact. The manipulation of the argument phone leads to cross site scripting. The attack may be initiated remotely. The...

Privilege escalation

The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL - Enterprise Edition, and TIBCO FTL - Enterprise Edition contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a...

Emerson OpenBSI

1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Emerson Equipment: OpenBSI Vulnerabilities: Use of Broken or Risky Cryptographic Algorithm, Use of Hard-coded Cryptographic Key CISA is aware of a public report, “OT:ICEFALL,” that details...

Siemens Simcenter STAR-CCM+

1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Simcenter STAR-CCM+ Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Simcenter STAR-CCM+ contains an information disclosure vulnerability...

CVE-2022-21517

Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of thi...

CVE-2022-30571 TIBCO iWay Service Manager Reflected Cross Site Scripting (XSS) Vulnerability

The iWay Service Manager Console component of TIBCO Software Inc.'s TIBCO iWay Service Manager contains easily exploitable Reflected Cross Site Scripting XSS vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's...

CVE-2022-2414

creationtimestamp| type| source ---|---|--- 2022-07-29 22:13:43+00:00| seen| https://t.me/cibsecurity/47279 2022-08-23 15:00:04+00:00| seen| https://t.me/poxek/2343 2022-08-31 13:04:24+00:00| seen| https://t.me/ptswarm/146 2022-12-06 14:42:14+00:00| published-proof-of-concept|...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : MySQL vulnerabilities (USN-5537-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5537-1 advisory. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL...

Cross site scripting

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Honeywell Safety Manager

1. EXECUTIVE SUMMARY CVSS v3 7.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Honeywell Equipment: Safety Manager 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow for configuration and firmware manipulation or remote code execution. 3. TECHNICAL...

Honeywell Saia Burgess PG5 PCD

1. EXECUTIVE SUMMARY CVSS v3 7.6 ATTENTION: Exploitable on adjacent network/low attack complexity Vendor: Honeywell Equipment: Saia Burgess PG5 PCD Vulnerabilities: Authentication Bypass, Use of a Broken or Risky Cryptographic Algorithm CISA is aware of a public report known as “OT:ICEFALL” that...

Inductive Automation Ignition

1. EXECUTIVE SUMMARY CVSS v3 8.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Inductive Automation Equipment: Ignition Vulnerability: Improper Restriction of XML External Entity Reference 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled...

CVE-2017-20145

CVE-2017-20145 affects Tecrail Responsive Filemanger up to version 9.10.x. The root cause is a path traversal vulnerability that enables remote access to files. Several connected sources corroborate a critical impact and indicate upgrading to version 9.11.0 as the fix. In at least one reference, ...

Binary Vulnerability in CAD Mini Viewing at Shanghai Xiaosai Technology Co.

CAD Mini Viewer is a DWG viewing tool to quickly view DWG drawings out of AutoCAD. A binary vulnerability exists in CAD Mini Viewer, which can be exploited by attackers to cause the program to crash...

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

UBUNTU-CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...