Phoenix Contact Classic Line Industrial Controllers

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Phoenix Contact Equipment: ILC 131 ETH, ILC 131 ETH/XC, ILC 151 ETH, ILC 151 ETH/XC, ILC 171 ETH 2TX, ILC 191 ETH 2TX, ILC 191 ME/AN, and AXC 1050 Vulnerability: Missing Authentication for Critical...

Phoenix Contact ProConOS and MULTIPROG

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Phoenix Contact Equipment: ProConOS/ProConOS eCLR and MULTIPROG Vulnerability: Insufficient Verification of Data Authenticity CISA is aware of a public report, known as “OT:ICEFALL” that details...

JTEKT TOYOPUC

1. EXECUTIVE SUMMARY CVSS v3 7.7 ATTENTION: Exploitable remotely Vendor: JTEKT Equipment: TOYOPUC Products Vulnerability: Missing Authentication for Critical Function CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology OT...

CVE-2022-31849

The CVE-2022-31849 issue affects MERCURY MIPC451-4, version 1.0.22 Build 220105 Rel.55642n. A remote code execution (RCE) vulnerability exists exploitable via a crafted POST request. Impacted components: the device firmware; underlying cause is not further specified in the provided documents. CVS...

Brandbugle SQL Injection Vulnerability

Brandbugle is an e-commerce application from Brandbugle India. Brandbugle is vulnerable to SQL injection, which can be exploited by attackers to cause sql injection issues via /main.php...

AutomationDirect DirectLOGIC with Ethernet

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: DirectLOGIC with Ethernet Communication Modules Vulnerabilities: Uncontrolled Resource Consumption, Cleartext Transmission of Sensitive Information 2. UPDATE OR REPOSTED...

Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C)

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION : Exploitable remotely/low attack complexity Vendor : Mitsubishi Electric Equipment : MELSEC iQ-R, Q, and L Series CPU Module; MELIPC Series CPU Vulnerability : Improper Resource Locking 2. RISK EVALUATION Successful exploitation of this vulnerability...

Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R

1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely Vendor: Mitsubishi Electric Equipment: MELSEC-Q/L Series and iQ-R Series Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition and/or...

Siemens Teamcenter

1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Teamcenter Vulnerability: Use of Hard-coded Credentials 2. UPDATE This updated advisory is a follow-up to the original advisory titled ICSA-22-167-13 Siemens Teamcenter that was...

Johnson Controls Metasys ADS ADX OAS Servers

1. EXECUTIVE SUMMARY CVSS v3 8.7 ATTENTION: Low attack complexity/exploitable remotely Vendor: Johnson Controls, Inc. Equipment: Metasys ADS/ADX/OAS Servers Vulnerabilities: Unverified Password Change, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could...

Nextcloud: Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

Summary: The mail extension in nextcloud includes a module called "cerdic/csstidy" which basically ships with a publicly accessible test/example interface to play with the CSS formatter and optimiser /apps/mail/vendor/cerdic/css-tidy/cssoptimiser.php. This module allows contacting any remote serv...

Debian DSA-5156-1 : firefox-esr - security update

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5156 advisory. Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information...

Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices

Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader. The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and...

Updated thunderbird packages fix security vulnerability

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown...

Mozilla: Heap buffer overflow in WebGL

The Mozilla Foundation Security Advisory describes this flaw as: A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash...

Mozilla: Register allocation problem in WASM on arm64

The Mozilla Foundation Security Advisory describes this flaw as: On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash...

Mozilla: Register allocation problem in WASM on arm64

The Mozilla Foundation Security Advisory describes this flaw as: On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash...

Mozilla: Heap buffer overflow in WebGL

The Mozilla Foundation Security Advisory describes this flaw as: A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash...

Mozilla: Register allocation problem in WASM on arm64

The Mozilla Foundation Security Advisory describes this flaw as: On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash...

Mozilla: Heap buffer overflow in WebGL

The Mozilla Foundation Security Advisory describes this flaw as: A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash...