B&R Industrial Automation Security Vulnerabilities

CVE-2024-28775

IBM WebSphere Automation 1.7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...

Exploit for Out-of-bounds Write in Polkit Project Polkit

b0VIM...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Automation.

Summary IBM Workload Automation has updated OpenSSL to address multiple vulnerabilities. (CVE-2023-2650, CVE-2023-0464, CVE-2023-0466, CVE-2023-0465). Vulnerability Details ** CVEID: CVE-2023-2650 DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a flaw when using...

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never...

CVE-2023-45845

Improper conditions check for some Intel(R) Wireless Bluetooth(R) products for Windows before version 23.20 may allow a privileged user to potentially enable denial of service via local...

CVE-2024-21864

Improper neutralization in some Intel(R) Arc(TM) & Iris(R) Xe Graphics software before version 31.0.101.5081 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent network...

CVE-2024-21837

Uncontrolled search path in some Intel(R) Quartus(R) Prime Lite Edition Design software before version 23.1 may allow an authenticated user to potentially enable escalation of privilege via local...

CVE-2021-33158

Improper neutralization in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

CVE-2023-32042

OLE Automation Information Disclosure...

CVE-2021-33142

Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable denial of service via local...

CVE-2023-25822

ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the com.epam.reportportal:service-api module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1...

CVE-2024-21864

Improper neutralization in some Intel(R) Arc(TM) & Iris(R) Xe Graphics software before version 31.0.101.5081 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent network...

CVE-2024-21837

Uncontrolled search path in some Intel(R) Quartus(R) Prime Lite Edition Design software before version 23.1 may allow an authenticated user to potentially enable escalation of privilege via local...

CVE-2021-33161

Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

CVE-2021-33161

Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

CVE-2021-33162

Improper access control in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an authenticated user to potentially enable escalation of privilege via local...

CVE-2024-27005 interconnect: Don't access req_list while it's being manipulated

In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to...

CVE-2023-41897

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks...

CVE-2023-35192

Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local...

Exploit for Path Traversal in Wso2 Api Manager

😭 WSOB...

CVE-2021-33157

Insufficient control flow management in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

CVE-2021-33157

Insufficient control flow management in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

Exploit for CVE-2024-25600

CVE-2024-25600 Exploit Tool 🚀 Description 📝 This tool 🛠️...

CVE-2021-33158

Improper neutralization in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

openSUSE Security Update : python-python-gnupg (openSUSE-2019-143)

This update for python-python-gnupg to version 0.4.4 fixes the following issues : Security issue fixed : CVE-2019-6690: Added a check to disallow certain control characters ('\r', '\n', NUL) in passphrases ...

CVE-2021-33141

Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an unauthenticated user to potentially enable denial of service via network...

CVE-2021-33141

Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow an unauthenticated user to potentially enable denial of service via network...

CVE-2021-33142

Improper input validation in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable denial of service via local...

Exploit for Command Injection in Chamilo

CVE-2023-34960 Mass unauthenticated command injection...

CVE-2021-33157

Insufficient control flow management in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to potentially enable escalation of privilege via local...

CVE-2023-26142

All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds)....

CVE-2024-27005

In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to...

CVE-2024-27005 interconnect: Don't access req_list while it's being manipulated

In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to...

CVE-2023-35192

Uncontrolled search path in some Intel(R) GPA Framework software before version 2023.3 may allow an authenticated user to potentially enable escalation of privilege via local...

CVE-2024-1889

Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected...

CVE-2024-1889 Cross-Site Request Forgery vulnerability in SMA Cluster Controller

Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected...

CVE-2024-27391 wifi: wilc1000: do not realloc workqueue everytime an interface is added

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: do not realloc workqueue everytime an interface is added Commit 09ed8bfc5215 ("wilc1000: Rename workqueue from "WILC_wq" to "NETDEV-wq"") moved workqueue creation in wilc_netdev_ifc_init in order to set the...

CVE-2024-1889

Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected...

CVE-2024-1889 Cross-Site Request Forgery vulnerability in SMA Cluster Controller

Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected...

CVE-2024-2656

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output...

Important: edk2 security update

EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es): edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235) EDK2: heap...

CVE-2023-43751

Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local...

CVE-2024-27391

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: do not realloc workqueue everytime an interface is added Commit 09ed8bfc5215 ("wilc1000: Rename workqueue from "WILC_wq" to "NETDEV-wq"") moved workqueue creation in wilc_netdev_ifc_init in order to set the...

CVE-2024-28764

IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: ...

Important: edk2 security update

EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es): edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235) EDK2: heap...

Exploit for Deserialization of Untrusted Data in Apache Log4J

CVE-2021-44228 Remote Code Injection In Log4j...

CVE-2023-43751

Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local...

Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d Authentication Bypass (CVE-2023-4957)

A vulnerability of authentication bypass has been found on a Zebra Technologies ZTC ZT410-203dpi ZPL printer. This vulnerability allows an attacker that is in the same network as the printer, to change the username and password for the Web Page by sending a specially crafted POST request to the...

LumisXP <10.0.0 - Blind XML External Entity Attack

LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XML external entity (XXE) attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of...

CVE-2023-43751

Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local...