ZKTeco ZKTime Web 2.0.1.12280 Cross Site Scripting

Introduction Vendor: ZKTeco Affected Product: ZKTime Web - 2.0.1.12280 Fixed in: Vendor Website: https://www.zkteco.com/product/ZKTimeWeb2.0435.html Vulnerability Type: Reflected XSS Remote Exploitable: Yes CVE: CVE-2017-17057 2. Overview There is a reflected XSS vulnerability in ZKTime Web. The...

Siemens Industrial Products (Update S)

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION : Remotely exploitable/low attack complexity Vendor : Siemens Equipment : Industrial Products Vulnerability : Improper Input Validation 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-17-339-01 Siemens...

MyTy 5.1.7 Cross Site Scripting Vulnerability

MyTy versions 5.0.4 through 5.1.7 suffer from a cross site scripting vulnerability. Product: MyTy Vendor: Finlane GmbH CSNC ID: CSNC-2017-030 CVE ID: - Subject: Reflected Cross-Site Scripting XSS Risk: High Effect: Remotely exploitable Author: Nicolas Heiniger Date: 21.11.2017 Introduction:...

MyTy 5.1.7 Cross Site Scripting

COMPASS SECURITY ADVISORY https://www.compass-security.com/research/advisories/ Product: MyTy Vendor: Finlane GmbH CSNC ID: CSNC-2017-030 CVE ID: - Subject: Reflected Cross-Site Scripting XSS Risk: High Effect: Remotely exploitable Author: Nicolas Heiniger Date: 21.11.2017 Introduction:...

osTicket 1.10 - SQL Injection Vulnerability

Exploit for php platform in category web applications 1. ADVISORY INFORMATION ======================================== Title: osTicket v1.10 Unauthenticated SQL Injection Application: osTicket Bugs: SQL Injection Class: Sensitive Information disclosure Remotely Exploitable: Yes Authentication...

osTicket 1.10 SQL Injection

ADVISORY INFORMATION ======================================== Title: osTicket v1.10 Unauthenticated SQL Injection Application: osTicket Bugs: SQL Injection Class: Sensitive Information disclosure Remotely Exploitable: Yes Authentication Required: NO Versions Affected: = v1.10 Technology: PHP...

IWEBSOUL CMS 1.0 SQL Injection

Title: ======= IWEBSOUL CMS - Multiple SQL Injection Vulnerabilities & Authentication Bypass Introduction: ============== Intrepid Websoul Private Limited - iWebsoul is a rapidly growing IT Solution provider in India. Team comprehensively works to create a unique business and industry based...

PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware

CVSS v3 7.5 ATTENTION: Remotely exploitable/low skill level to exploit. Vendor: PHOENIX CONTACT, Innominate Security Technologies Equipment: mGuard firmware Vulnerability: Null Pointer Dereference AFFECTED PRODUCTS The following versions of mGuard firmware versions 8.0.0 to 8.5.1, running on thes...

Brickcom IP Camera - Credentials Disclosure

Brickcom IP Camera - Credentials Disclosure 1. Advisory Information ======================================== Title: Brickcom IP-Camera Remote Credentials and Settings Disclosure Vendor Homepage: http://www.brickcom.com Tested on Camera types: WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af,...

Trend Micro Smart Protection OS Command Injection

1. Advisory Information Title: Trend Micro Smart Protection OS Command Injection Advisory ID: CORE-2017-0004 Advisory URL:http://www.coresecurity.com/core-labs/advisories/trend-micro-smart-protection-os-command-injection Date published: 2017-08-23 Date of last update: 2017-08-23 Vendors contacted...

QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities

--- Advisory details --- Title: QuantaStor Software Define Storage mmultiple vulnerabilities Advisory ID: VVVSEC-2017-6943 Advisory URL: http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt Date published: 12/08/2017 CVEs: CVE-2017-9978 "Brute force login request using http...

OSIsoft PI Integrator

CVSS v3 9.8 ATTENTION: Remotely exploitable/low skill level to exploit. Vendor: OSIsoft Equipment: PI Integrator Vulnerabilities: Cross-Site Scripting, Improper Authorization AFFECTED PRODUCTS The following versions of PI Integrator, a data management platform, are affected: PI Integrator for SAP...

Oracle Integration Gateway Directory Traversal Vulnerability

Oracle Integration Gateway PSIGW suffers from a directory traversal vulnerability. 1. ADVISORY INFORMATION Title: Directory Traversal vulnerability in Integration Gateway PSIGW Advisory ID: ERPSCAN-17-038 Advisory URL:...

Oracle MICROS POS missing authorisation check

Application: Oracle MICROS POS Versions Affected: Oracle Hospitality Simphony 2.7-2.9 Vendor URL: Oracle Bug: Missing Authentication for Critical Function Reported: 21.07.2017 Vendor response: 22.07.2017 Date of Public Advisory: 17.01.2018 Reference: Oracle CPU January 2018 Author: Dmitry Chastuh...

ICSA-17-187-03F Siemens SIPROTEC 4 and SIPROTEC Compact (Update F)

CVSS v3 8.6 ATTENTION: Remotely exploitable/low skill level to exploit. Vendor: Siemens Equipment: SIPROTEC 4 and SIPROTEC Compact Vulnerabilities: Improper Input Validation, Missing Authorization, Improper Authentication UPDATE INFORMATION This updated advisory is a follow-up to the updated...

Kaspersky Anti-Virus File Server 8.0.3.297 XSS / CSRF / Code Execution

Advisory Information Title: Kaspersky Anti-Virus File Server Multiple Vulnerabilities Advisory ID: CORE-2017-0003 Advisory URL: http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities Date published: 2017-06-28 Date of last update: 2017-06-28 Vendors...

Information Disclosure in PeopleSoft Listening Connector

Application: Oracle PeopleSoft Versions Affected: Oracle PeopleTools 8.54 – 8.56 Vendor: Oracle Bugs: Information Disclosure Reported: 15.06.2017 Vendor response: 16.06.2017 Date of Public Advisory: 17.01.2018 Reference: Oracle CPU January 2018 Authors: Dmitri Iudin aka @ret5et ERPScan...

Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities

Oracle released its biggest Critical Patch Update ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the ShadowBrokers last week, as well as the recent Apache Struts 2 vulnerability, also under public attack. In all, Oracle admins hav...

Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities

Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied...

Rockwell Automation ControlLogix 5580 and CompactLogix 5380

CVSS v3 6.8 ATTENTION: Remotely exploitable. Vendor: Rockwell Automation Equipment: ControlLogix 5580 and CompactLogix 5380 Vulnerability: Resource Exhaustion REPOSTED INFORMATION This advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT...