Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-23808 (GCVE-0-2022-23808)
Vulnerability from cvelistv5 – Published: 2022-01-22 00:00 – Updated: 2025-05-05 16:25
VLAI?
EPSS
Summary
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"name": "GLSA-202311-17",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-17"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-23808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:22:03.773377Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:25:09.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-26T12:06:13.311Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"name": "GLSA-202311-17",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202311-17"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23808",
"datePublished": "2022-01-22T00:00:00.000Z",
"dateReserved": "2022-01-21T00:00:00.000Z",
"dateUpdated": "2025-05-05T16:25:09.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.1.0\", \"versionEndExcluding\": \"5.1.2\", \"matchCriteriaId\": \"45AFD905-B58E-42E9-9682-3CB2E644DCFF\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado un problema en phpMyAdmin versiones 5.1 anteriores a 5.1.2. Un atacante puede inyectar c\\u00f3digo malicioso en aspectos del script de configuraci\\u00f3n, lo que puede permitir una inyecci\\u00f3n de tipo XSS o HTML\"}]",
"id": "CVE-2022-23808",
"lastModified": "2024-11-21T06:49:17.707",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2022-01-22T02:15:07.197",
"references": "[{\"url\": \"https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://security.gentoo.org/glsa/202311-17\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.phpmyadmin.net/security/PMASA-2022-2/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202311-17\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.phpmyadmin.net/security/PMASA-2022-2/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23808\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-01-22T02:15:07.197\",\"lastModified\":\"2025-05-05T17:17:58.507\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en phpMyAdmin versiones 5.1 anteriores a 5.1.2. Un atacante puede inyectar c\u00f3digo malicioso en aspectos del script de configuraci\u00f3n, lo que puede permitir una inyecci\u00f3n de tipo XSS o HTML\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1.0\",\"versionEndExcluding\":\"5.1.2\",\"matchCriteriaId\":\"45AFD905-B58E-42E9-9682-3CB2E644DCFF\"}]}]}],\"references\":[{\"url\":\"https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.gentoo.org/glsa/202311-17\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.phpmyadmin.net/security/PMASA-2022-2/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202311-17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.phpmyadmin.net/security/PMASA-2022-2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.phpmyadmin.net/security/PMASA-2022-2/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202311-17\", \"name\": \"GLSA-202311-17\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:51:46.011Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-23808\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:22:03.773377Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-05T13:16:58.337Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://www.phpmyadmin.net/security/PMASA-2022-2/\"}, {\"url\": \"https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97\"}, {\"url\": \"https://security.gentoo.org/glsa/202311-17\", \"name\": \"GLSA-202311-17\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-11-26T12:06:13.311Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-23808\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-05T16:25:09.948Z\", \"dateReserved\": \"2022-01-21T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2022-01-22T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2022-23808
Vulnerability from fkie_nvd - Published: 2022-01-22 02:15 - Updated: 2025-05-05 17:17
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phpmyadmin | phpmyadmin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45AFD905-B58E-42E9-9682-3CB2E644DCFF",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection."
},
{
"lang": "es",
"value": "Se ha detectado un problema en phpMyAdmin versiones 5.1 anteriores a 5.1.2. Un atacante puede inyectar c\u00f3digo malicioso en aspectos del script de configuraci\u00f3n, lo que puede permitir una inyecci\u00f3n de tipo XSS o HTML"
}
],
"id": "CVE-2022-23808",
"lastModified": "2025-05-05T17:17:58.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-01-22T02:15:07.197",
"references": [
{
"source": "cve@mitre.org",
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
ICSA-26-027-02
Vulnerability from csaf_cisa - Published: 2024-02-27 12:00 - Updated: 2026-01-27 16:20Summary
Festo Didactic SE MES PC
Notes
General recommendation
Festo Didactic offers products with security functions that aid the safe operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks from cyber threats, a comprehensive security concept must be implemented and continuously updated. Festo products and services only constitute one part of such a concept.
The customer is responsible for preventing unauthorized access to their plants, systems, machines and networks. Systems, machines and components should only be connected to a company's network or the Internet if and as necessary, and only when the suitable security measures (e.g., firewalls and network segmentation, defense-in-depth) are in place. Failure to ensure adequate security measures when connecting the product to the network can result in vulnerabilities which allow unauthorized, remote access to the network - even beyond the product boundaries. This access could be abused to incur a loss of data or manipulate or sabotage systems. Typical forms of attack include but are not limited to: Denial-of-Service (rendering the system temporarily non-functional), remote execution of malicious code, privilege escalation (executing malicious code with higher system privileges than expected), ransomware (encryption of data and demanding payment for decryption). In the context of industrial systems and machines this can also lead to unsafe states, posing a danger to people and equipment.
Furthermore, Festo guidelines on suitable security measures should be observed. Festo products and solutions are constantly being developed further in order to make them more secure. Festo strongly recommends that customers install product updates as soon as they become available and always use the latest versions of its products. Any use of product versions that are no longer supported or any failure to install the latest updates may render the customer vulnerable to cyber-attacks.
Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications.
MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
Disclaimer
Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\n\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\n\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.
Impact
The vulnerabilities covered by this advisory have a broad range of impacts ranging from denial-of-service to disclosure or manipulation/deletion of information.
Given the intended usage of MES PCs for didactic purposes in controlled lab environments, separate from productive systems, it never comes into contact with sensitive information. Therefore the impact is reduced to limited availability of the system.
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of Festo SE & Co. KG FSA-202402 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Festo SE & Co. KG directly for any questions regarding this advisory.
Critical infrastructure sectors
Commercial Facilities, Communications, Critical Manufacturing, Energy
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination and support with this publication",
"urls": [
"https://certvde.com/"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "Festo Didactic offers products with security functions that aid the safe operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks from cyber threats, a comprehensive security concept must be implemented and continuously updated. Festo products and services only constitute one part of such a concept.\nThe customer is responsible for preventing unauthorized access to their plants, systems, machines and networks. Systems, machines and components should only be connected to a company\u0027s network or the Internet if and as necessary, and only when the suitable security measures (e.g., firewalls and network segmentation, defense-in-depth) are in place. Failure to ensure adequate security measures when connecting the product to the network can result in vulnerabilities which allow unauthorized, remote access to the network - even beyond the product boundaries. This access could be abused to incur a loss of data or manipulate or sabotage systems. Typical forms of attack include but are not limited to: Denial-of-Service (rendering the system temporarily non-functional), remote execution of malicious code, privilege escalation (executing malicious code with higher system privileges than expected), ransomware (encryption of data and demanding payment for decryption). In the context of industrial systems and machines this can also lead to unsafe states, posing a danger to people and equipment.\nFurthermore, Festo guidelines on suitable security measures should be observed. Festo products and solutions are constantly being developed further in order to make them more secure. Festo strongly recommends that customers install product updates as soon as they become available and always use the latest versions of its products. Any use of product versions that are no longer supported or any failure to install the latest updates may render the customer vulnerable to cyber-attacks.",
"title": "General recommendation"
},
{
"category": "summary",
"text": "MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. \n\nMES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic\u0027s Factory Control Panel application.",
"title": "Summary"
},
{
"category": "legal_disclaimer",
"text": "Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.\\n\\nNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.\\n\\nIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.",
"title": "Disclaimer"
},
{
"category": "description",
"text": "The vulnerabilities covered by this advisory have a broad range of impacts ranging from denial-of-service to disclosure or manipulation/deletion of information.\nGiven the intended usage of MES PCs for didactic purposes in controlled lab environments, separate from productive systems, it never comes into contact with sensitive information. Therefore the impact is reduced to limited availability of the system.",
"title": "Impact"
},
{
"category": "legal_disclaimer",
"text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
"title": "Legal Notice and Terms of Use"
},
{
"category": "other",
"text": "This ICSA is a verbatim republication of Festo SE \u0026 Co. KG FSA-202402 from a direct conversion of the vendor\u0027s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA\u0027s website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Festo SE \u0026 Co. KG directly for any questions regarding this advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Commercial Facilities, Communications, Critical Manufacturing, Energy",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "FSA-202402: Several Vulnerabilities in MES PC (Windows 10) - CSAF",
"url": "https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2024/fsa-202402.json"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisory",
"url": "https://certvde.com/en/advisories/vendor/festo/"
},
{
"category": "external",
"summary": "For further security-related issues in Festo products please contact the Festo Product Security Incident Response Team (PSIRT)",
"url": "https://festo.com/psirt"
},
{
"category": "self",
"summary": "FSA-202402: Several Vulnerabilities in MES PC (Windows 10) - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-065"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-26-027-02 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsa-26-027-02.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-26-027-02 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-02"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
}
],
"title": "Festo Didactic SE MES PC",
"tracking": {
"aliases": [
"VDE-2023-065"
],
"current_release_date": "2026-01-27T16:20:28.099631Z",
"generator": {
"date": "2026-01-27T16:20:28.097580Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.5.0"
}
},
"id": "ICSA-26-027-02",
"initial_release_date": "2024-02-27T12:00:00.000000Z",
"revision_history": [
{
"date": "2024-02-27T12:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-04T11:00:00.000000Z",
"legacy_version": "Revision 1",
"number": "2",
"summary": "Adjust to VDE template. Add missing CWE-IDs if available. Updated legal disclaimer to add references to special provisions."
},
{
"date": "2025-12-08T07:00:00.000000Z",
"legacy_version": "Revision 2",
"number": "3",
"summary": "Add all missing CWE identifier and CVSS 3.x scores."
},
{
"date": "2026-01-27T16:20:28.099631Z",
"legacy_version": "CISA Republication",
"number": "4",
"summary": "Initial Republication of Festo SE \u0026 Co. KG FSA-202402 advisory"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "shipped_with_Windows_10",
"product": {
"name": "Festo Didactic SE MES PC shipped with Windows 10",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "MES PC"
}
],
"category": "vendor",
"name": "Festo Didactic SE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-11036",
"cwe": {
"id": "CWE-126",
"name": "Buffer Over-read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "108177",
"url": "http://www.securityfocus.com/bid/108177"
},
{
"summary": "FEDORA-2019-6350c4e21a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BY2XUUAN277LS7HKAOGL4DVGAELOJV3/"
},
{
"summary": "FEDORA-2019-6e325234a4",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NFXYNCXZCPYT7ZN4ZLI5EPQQW44FRRO/"
},
{
"summary": "FEDORA-2019-bab3944fee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WN2HLPGEZEF4MFM5YC5FILZB5QEQFP3A/"
},
{
"summary": "USN-3566-2",
"url": "https://usn.ubuntu.com/3566-2/"
},
{
"summary": "[debian-lts-announce] 20190525 [SECURITY] [DLA 1803-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html"
},
{
"summary": "openSUSE-SU-2019:1501",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "USN-4009-1",
"url": "https://usn.ubuntu.com/4009-1/"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "20190920 [SECURITY] [DSA 4527-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/35"
},
{
"summary": "DSA-4527",
"url": "https://www.debian.org/security/2019/dsa-4527"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11036"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/126.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11036"
},
{
"cve": "CVE-2023-25727",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25727"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-25727"
},
{
"cve": "CVE-2021-2011",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-db50ab62d3",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T7EAHJPWOOF4D6PEFLXW5IQWRRSZ3HRC/"
},
{
"summary": "FEDORA-2021-b1d1655cef",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CS5THZSGI7O2CZO44NWYE57AG2T7NK3K/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2011"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2011"
},
{
"cve": "CVE-2022-32083",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32083"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32083"
},
{
"cve": "CVE-2021-46668",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-263f7cc483",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO/"
},
{
"summary": "FEDORA-2022-03350936ee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD/"
},
{
"summary": "FEDORA-2022-5cfe372ab7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46668"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46668"
},
{
"cve": "CVE-2018-19518",
"cwe": {
"id": "CWE-88",
"name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a \"-oProxyCommand\" argument.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "45914",
"url": "https://www.exploit-db.com/exploits/45914/"
},
{
"summary": "[debian-lts-announce] 20190301 [SECURITY] [DLA 1700-1] uw-imap security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html"
},
{
"summary": "1042157",
"url": "http://www.securitytracker.com/id/1042157"
},
{
"summary": "DSA-4353",
"url": "https://www.debian.org/security/2018/dsa-4353"
},
{
"summary": "106018",
"url": "http://www.securityfocus.com/bid/106018"
},
{
"summary": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1608-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html"
},
{
"summary": "USN-4160-1",
"url": "https://usn.ubuntu.com/4160-1/"
},
{
"summary": "GLSA-202003-57",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"summary": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2866-1] uw-imap security update",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19518"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/88.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2018-19518"
},
{
"cve": "CVE-2021-2194",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-01189f6361",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKV7TRUEQW6EV45RSZVVFLVQMNHVHBCJ/"
},
{
"summary": "FEDORA-2021-5b6c69a73a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJVUTKKFQAWR7NURCQHQQ5JHTVYGEOYQ/"
},
{
"summary": "FEDORA-2021-b8b7829a83",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJQRPXNDH6YHQLUSCS5VA7DAW32PN7N7/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2194"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2194"
},
{
"cve": "CVE-2019-11049",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2019-437d94e271",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
},
{
"summary": "FEDORA-2019-a54a622670",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
},
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11049"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/415.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11049"
},
{
"cve": "CVE-2022-31626",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-0a96e5b9b1",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/"
},
{
"summary": "FEDORA-2022-f3fc52428e",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/"
},
{
"summary": "DSA-5179",
"url": "https://www.debian.org/security/2022/dsa-5179"
},
{
"summary": "GLSA-202209-20",
"url": "https://security.gentoo.org/glsa/202209-20"
},
{
"summary": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31626"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/120.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-31626"
},
{
"cve": "CVE-2022-32084",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"summary": "FEDORA-2022-cf88f807f9",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHISY4YVO4S5QJYYIXCIAXBM7INOL4VY/"
},
{
"summary": "FEDORA-2022-e0e9a43546",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WCOEGSVMIEXDZHBOSV6WVF7FAVRBR2JE/"
},
{
"summary": "FEDORA-2022-333df1c4aa",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVAONAZXJFGHAJ4RP2OF3EAMQCOTDSQ/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32084"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32084"
},
{
"cve": "CVE-2022-32088",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32088"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32088"
},
{
"cve": "CVE-2022-27377",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27377"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27377"
},
{
"cve": "CVE-2020-2922",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-4350-1",
"url": "https://usn.ubuntu.com/4350-1/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2922"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-2922"
},
{
"cve": "CVE-2019-9638",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note-\u003eoffset relationship to value_len.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4403",
"url": "https://www.debian.org/security/2019/dsa-4403"
},
{
"summary": "USN-3922-1",
"url": "https://usn.ubuntu.com/3922-1/"
},
{
"summary": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"summary": "USN-3922-2",
"url": "https://usn.ubuntu.com/3922-2/"
},
{
"summary": "USN-3922-3",
"url": "https://usn.ubuntu.com/3922-3/"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9638"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9638"
},
{
"cve": "CVE-2019-11044",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \\0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2019-437d94e271",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
},
{
"summary": "FEDORA-2019-a54a622670",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11044"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/170.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11044"
},
{
"cve": "CVE-2020-7068",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "GLSA-202009-10",
"url": "https://security.gentoo.org/glsa/202009-10"
},
{
"summary": "DSA-4856",
"url": "https://www.debian.org/security/2021/dsa-4856"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7068"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7068"
},
{
"cve": "CVE-2020-7069",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2020-4573f0e03a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/"
},
{
"summary": "FEDORA-2020-4fe6b116e5",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/"
},
{
"summary": "FEDORA-2020-94763cb98b",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/"
},
{
"summary": "openSUSE-SU-2020:1703",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html"
},
{
"summary": "USN-4583-1",
"url": "https://usn.ubuntu.com/4583-1/"
},
{
"summary": "openSUSE-SU-2020:1767",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html"
},
{
"summary": "GLSA-202012-16",
"url": "https://security.gentoo.org/glsa/202012-16"
},
{
"summary": "DSA-4856",
"url": "https://www.debian.org/security/2021/dsa-4856"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7069"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7069"
},
{
"cve": "CVE-2015-2301",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-3198",
"url": "http://www.debian.org/security/2015/dsa-3198"
},
{
"summary": "USN-2535-1",
"url": "http://www.ubuntu.com/usn/USN-2535-1"
},
{
"summary": "HPSBMU03409",
"url": "http://marc.info/?l=bugtraq\u0026m=144050155601375\u0026w=2"
},
{
"summary": "openSUSE-SU-2015:0644",
"url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html"
},
{
"summary": "APPLE-SA-2015-09-30-3",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html"
},
{
"summary": "1031949",
"url": "http://www.securitytracker.com/id/1031949"
},
{
"summary": "HPSBMU03380",
"url": "http://marc.info/?l=bugtraq\u0026m=143748090628601\u0026w=2"
},
{
"summary": "MDVSA-2015:079",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:079"
},
{
"summary": "SSRT102066",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"summary": "SUSE-SU-2015:0868",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html"
},
{
"summary": "73037",
"url": "http://www.securityfocus.com/bid/73037"
},
{
"summary": "RHSA-2015:1135",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1135.html"
},
{
"summary": "RHSA-2015:1053",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1053.html"
},
{
"summary": "HPSBUX03337",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"summary": "[oss-security] 20150315 Re: CVE Request: PHP 5.6.6 changelog",
"url": "http://openwall.com/lists/oss-security/2015/03/15/6"
},
{
"summary": "GLSA-201606-10",
"url": "https://security.gentoo.org/glsa/201606-10"
},
{
"summary": "RHSA-2015:1066",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1066.html"
},
{
"summary": "RHSA-2015:1218",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1218.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2301"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2015-2301"
},
{
"cve": "CVE-2023-0568",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0568"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/131.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-0568"
},
{
"cve": "CVE-2022-27458",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27458"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27458"
},
{
"cve": "CVE-2021-21706",
"cwe": {
"id": "CWE-24",
"name": "Path Traversal: \u0027../filedir\u0027"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21706"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/24.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21706"
},
{
"cve": "CVE-2022-27452",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27452"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27452"
},
{
"cve": "CVE-2020-7071",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4856",
"url": "https://www.debian.org/security/2021/dsa-4856"
},
{
"summary": "GLSA-202105-23",
"url": "https://security.gentoo.org/glsa/202105-23"
},
{
"summary": "[debian-lts-announce] 20210715 [SECURITY] [DLA 2708-1] php7.0 security update",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7071"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7071"
},
{
"cve": "CVE-2022-27387",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27387"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/120.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27387"
},
{
"cve": "CVE-2022-27376",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27376"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27376"
},
{
"cve": "CVE-2019-11043",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-4166-1",
"url": "https://usn.ubuntu.com/4166-1/"
},
{
"summary": "DSA-4552",
"url": "https://www.debian.org/security/2019/dsa-4552"
},
{
"summary": "DSA-4553",
"url": "https://www.debian.org/security/2019/dsa-4553"
},
{
"summary": "USN-4166-2",
"url": "https://usn.ubuntu.com/4166-2/"
},
{
"summary": "FEDORA-2019-4adc49a476",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/"
},
{
"summary": "RHSA-2019:3286",
"url": "https://access.redhat.com/errata/RHSA-2019:3286"
},
{
"summary": "RHSA-2019:3287",
"url": "https://access.redhat.com/errata/RHSA-2019:3287"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"summary": "RHSA-2019:3300",
"url": "https://access.redhat.com/errata/RHSA-2019:3300"
},
{
"summary": "FEDORA-2019-187ae3128d",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/"
},
{
"summary": "FEDORA-2019-7bb07c3b02",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/"
},
{
"summary": "openSUSE-SU-2019:2441",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html"
},
{
"summary": "RHSA-2019:3724",
"url": "https://access.redhat.com/errata/RHSA-2019:3724"
},
{
"summary": "RHSA-2019:3735",
"url": "https://access.redhat.com/errata/RHSA-2019:3735"
},
{
"summary": "RHSA-2019:3736",
"url": "https://access.redhat.com/errata/RHSA-2019:3736"
},
{
"summary": "openSUSE-SU-2019:2457",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html"
},
{
"summary": "20200129 APPLE-SA-2020-1-28-2 macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra",
"url": "https://seclists.org/bugtraq/2020/Jan/44"
},
{
"summary": "20200131 APPLE-SA-2020-1-28-2 macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra",
"url": "http://seclists.org/fulldisclosure/2020/Jan/40"
},
{
"summary": "RHSA-2020:0322",
"url": "https://access.redhat.com/errata/RHSA-2020:0322"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11043"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/120.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11043"
},
{
"cve": "CVE-2021-2032",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2032"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2032"
},
{
"cve": "CVE-2021-2007",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-db50ab62d3",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T7EAHJPWOOF4D6PEFLXW5IQWRRSZ3HRC/"
},
{
"summary": "FEDORA-2021-b1d1655cef",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CS5THZSGI7O2CZO44NWYE57AG2T7NK3K/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2007"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2007"
},
{
"cve": "CVE-2019-11045",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \\0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20191229 [SECURITY] [DLA 2050-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html"
},
{
"summary": "FEDORA-2019-437d94e271",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
},
{
"summary": "FEDORA-2019-a54a622670",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
},
{
"summary": "USN-4239-1",
"url": "https://usn.ubuntu.com/4239-1/"
},
{
"summary": "openSUSE-SU-2020:0080",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html"
},
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"summary": "DSA-4628",
"url": "https://www.debian.org/security/2020/dsa-4628"
},
{
"summary": "20200219 [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/31"
},
{
"summary": "20210116 Re: [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2021/Jan/3"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11045"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/170.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11045"
},
{
"cve": "CVE-2022-27445",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27445"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27445"
},
{
"cve": "CVE-2022-27457",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27457"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27457"
},
{
"cve": "CVE-2022-27384",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27384"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27384"
},
{
"cve": "CVE-2022-23808",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23808"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-23808"
},
{
"cve": "CVE-2023-0567",
"cwe": {
"id": "CWE-916",
"name": "Use of Password Hash With Insufficient Computational Effort"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0567"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/916.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-0567"
},
{
"cve": "CVE-2019-9025",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9025"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9025"
},
{
"cve": "CVE-2022-27379",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27379"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27379"
},
{
"cve": "CVE-2019-9637",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4403",
"url": "https://www.debian.org/security/2019/dsa-4403"
},
{
"summary": "USN-3922-1",
"url": "https://usn.ubuntu.com/3922-1/"
},
{
"summary": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"summary": "USN-3922-2",
"url": "https://usn.ubuntu.com/3922-2/"
},
{
"summary": "USN-3922-3",
"url": "https://usn.ubuntu.com/3922-3/"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9637"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/266.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9637"
},
{
"cve": "CVE-2021-27928",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20210323 [SECURITY] [DLA 2605-1] mariadb-10.1 security update",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00028.html"
},
{
"summary": "GLSA-202105-28",
"url": "https://security.gentoo.org/glsa/202105-28"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27928"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/94.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-27928"
},
{
"cve": "CVE-2021-21703",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4992",
"url": "https://www.debian.org/security/2021/dsa-4992"
},
{
"summary": "DSA-4993",
"url": "https://www.debian.org/security/2021/dsa-4993"
},
{
"summary": "[oss-security] 20211026 CVE-2021-21703: PHP-FPM 5.3.7 \u003c= 8.0.12 Local Root",
"url": "http://www.openwall.com/lists/oss-security/2021/10/26/7"
},
{
"summary": "[debian-lts-announce] 20211027 [SECURITY] [DLA 2794-1] php7.0 security update",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00021.html"
},
{
"summary": "FEDORA-2021-9f68f5f752",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JO5RA6YOBGGGKLIA6F6BQRZDDECF5L3R/"
},
{
"summary": "FEDORA-2021-4140b54de2",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBM3KKB3RY2YPOKNMC4HIH7IH3T3WC74/"
},
{
"summary": "FEDORA-2021-02d218c3be",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PZVLICZUJMXOGWOUWSBAEGIVTF6Y6V3/"
},
{
"summary": "GLSA-202209-20",
"url": "https://security.gentoo.org/glsa/202209-20"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21703"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21703"
},
{
"cve": "CVE-2020-2760",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-4350-1",
"url": "https://usn.ubuntu.com/4350-1/"
},
{
"summary": "FEDORA-2020-20ac7c92a1",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSVLI36TYRTPQGCS24VZQUXCUFOUW4VQ/"
},
{
"summary": "FEDORA-2020-136dc82437",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDGBQYS3A36S4CAZPV5YROHYXYZR6LAH/"
},
{
"summary": "FEDORA-2020-261c9ddd7c",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77REFDB7DE4WNKQIRGZTF53RFBQOXQLC/"
},
{
"summary": "FEDORA-2020-35f52d9370",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW2ED32VEUHXFN2J3YQE27JIBV4SC2PI/"
},
{
"summary": "openSUSE-SU-2020:0870",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00054.html"
},
{
"summary": "FEDORA-2020-ac2d47d89a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4X2BMF3EILMTXGOZDTPYS3KT5VWLA2P/"
},
{
"summary": "GLSA-202012-08",
"url": "https://security.gentoo.org/glsa/202012-08"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2760"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-2760"
},
{
"cve": "CVE-2021-2166",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-01189f6361",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKV7TRUEQW6EV45RSZVVFLVQMNHVHBCJ/"
},
{
"summary": "FEDORA-2021-5b6c69a73a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJVUTKKFQAWR7NURCQHQQ5JHTVYGEOYQ/"
},
{
"summary": "FEDORA-2021-b8b7829a83",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJQRPXNDH6YHQLUSCS5VA7DAW32PN7N7/"
},
{
"summary": "FEDORA-2021-68db93b130",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPA3CTGXPVWKHMCQDVURK4ETH7GE34KK/"
},
{
"summary": "FEDORA-2021-27187ac9dd",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GAU7KW36A6TQGKG3RUITYSVUFIHBY3OT/"
},
{
"summary": "FEDORA-2021-179f2fbb88",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEF5CRATUGQZUSQU63MHQIDZPOLHW2VE/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"summary": "GLSA-202105-28",
"url": "https://security.gentoo.org/glsa/202105-28"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2166"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2166"
},
{
"cve": "CVE-2015-2787",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "1032485",
"url": "http://www.securitytracker.com/id/1032485"
},
{
"summary": "73431",
"url": "http://www.securityfocus.com/bid/73431"
},
{
"summary": "HPSBMU03409",
"url": "http://marc.info/?l=bugtraq\u0026m=144050155601375\u0026w=2"
},
{
"summary": "APPLE-SA-2015-09-30-3",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html"
},
{
"summary": "HPSBMU03380",
"url": "http://marc.info/?l=bugtraq\u0026m=143748090628601\u0026w=2"
},
{
"summary": "SUSE-SU-2015:0868",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html"
},
{
"summary": "APPLE-SA-2015-08-13-2",
"url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
},
{
"summary": "USN-2572-1",
"url": "http://www.ubuntu.com/usn/USN-2572-1"
},
{
"summary": "RHSA-2015:1135",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1135.html"
},
{
"summary": "RHSA-2015:1053",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1053.html"
},
{
"summary": "openSUSE-SU-2015:0684",
"url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00015.html"
},
{
"summary": "GLSA-201606-10",
"url": "https://security.gentoo.org/glsa/201606-10"
},
{
"summary": "RHSA-2015:1066",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1066.html"
},
{
"summary": "RHSA-2015:1218",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1218.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2787"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2015-2787"
},
{
"cve": "CVE-2022-23807",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23807"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2020-2752",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2020-35f52d9370",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW2ED32VEUHXFN2J3YQE27JIBV4SC2PI/"
},
{
"summary": "openSUSE-SU-2020:0870",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00054.html"
},
{
"summary": "FEDORA-2020-ac2d47d89a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4X2BMF3EILMTXGOZDTPYS3KT5VWLA2P/"
},
{
"summary": "GLSA-202012-08",
"url": "https://security.gentoo.org/glsa/202012-08"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2752"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-2752"
},
{
"cve": "CVE-2021-46666",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB before 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46666"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46666"
},
{
"cve": "CVE-2020-2814",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2020-20ac7c92a1",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSVLI36TYRTPQGCS24VZQUXCUFOUW4VQ/"
},
{
"summary": "FEDORA-2020-136dc82437",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDGBQYS3A36S4CAZPV5YROHYXYZR6LAH/"
},
{
"summary": "FEDORA-2020-261c9ddd7c",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77REFDB7DE4WNKQIRGZTF53RFBQOXQLC/"
},
{
"summary": "FEDORA-2020-35f52d9370",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW2ED32VEUHXFN2J3YQE27JIBV4SC2PI/"
},
{
"summary": "openSUSE-SU-2020:0870",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00054.html"
},
{
"summary": "FEDORA-2020-ac2d47d89a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4X2BMF3EILMTXGOZDTPYS3KT5VWLA2P/"
},
{
"summary": "GLSA-202012-08",
"url": "https://security.gentoo.org/glsa/202012-08"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2814"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-2814"
},
{
"cve": "CVE-2020-7065",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-4330-1",
"url": "https://usn.ubuntu.com/4330-1/"
},
{
"summary": "USN-4330-2",
"url": "https://usn.ubuntu.com/4330-2/"
},
{
"summary": "DSA-4719",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7065"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/121.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7065"
},
{
"cve": "CVE-2021-21705",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "GLSA-202209-20",
"url": "https://security.gentoo.org/glsa/202209-20"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21705"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21705"
},
{
"cve": "CVE-2020-7062",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "openSUSE-SU-2020:0341",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html"
},
{
"summary": "GLSA-202003-57",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"summary": "[debian-lts-announce] 20200326 [SECURITY] [DLA 2160-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html"
},
{
"summary": "USN-4330-1",
"url": "https://usn.ubuntu.com/4330-1/"
},
{
"summary": "DSA-4717",
"url": "https://www.debian.org/security/2020/dsa-4717"
},
{
"summary": "DSA-4719",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7062"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/476.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7062"
},
{
"cve": "CVE-2019-11039",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "openSUSE-SU-2019:1778",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00029.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "20190920 [SECURITY] [DSA 4527-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/35"
},
{
"summary": "DSA-4527",
"url": "https://www.debian.org/security/2019/dsa-4527"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11039"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11039"
},
{
"cve": "CVE-2019-11035",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-3953-1",
"url": "https://usn.ubuntu.com/3953-1/"
},
{
"summary": "USN-3953-2",
"url": "https://usn.ubuntu.com/3953-2/"
},
{
"summary": "[debian-lts-announce] 20190525 [SECURITY] [DLA 1803-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html"
},
{
"summary": "openSUSE-SU-2019:1501",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11035"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11035"
},
{
"cve": "CVE-2022-27447",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27447"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27447"
},
{
"cve": "CVE-2019-11046",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren\u0027t ASCII numbers. This can read to disclosure of the content of some memory locations.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20191229 [SECURITY] [DLA 2050-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html"
},
{
"summary": "FEDORA-2019-437d94e271",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
},
{
"summary": "FEDORA-2019-a54a622670",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
},
{
"summary": "USN-4239-1",
"url": "https://usn.ubuntu.com/4239-1/"
},
{
"summary": "openSUSE-SU-2020:0080",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html"
},
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"summary": "DSA-4628",
"url": "https://www.debian.org/security/2020/dsa-4628"
},
{
"summary": "20200219 [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/31"
},
{
"summary": "20210116 Re: [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2021/Jan/3"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11046"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11046"
},
{
"cve": "CVE-2022-27446",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27446"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27446"
},
{
"cve": "CVE-2022-27386",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27386"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27386"
},
{
"cve": "CVE-2019-9639",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4403",
"url": "https://www.debian.org/security/2019/dsa-4403"
},
{
"summary": "USN-3922-1",
"url": "https://usn.ubuntu.com/3922-1/"
},
{
"summary": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"summary": "USN-3922-2",
"url": "https://usn.ubuntu.com/3922-2/"
},
{
"summary": "USN-3922-3",
"url": "https://usn.ubuntu.com/3922-3/"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9639"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/909.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9639"
},
{
"cve": "CVE-2019-11042",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20190812 [SECURITY] [DLA 1878-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00010.html"
},
{
"summary": "USN-4097-2",
"url": "https://usn.ubuntu.com/4097-2/"
},
{
"summary": "USN-4097-1",
"url": "https://usn.ubuntu.com/4097-1/"
},
{
"summary": "20190920 [SECURITY] [DSA 4527-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/35"
},
{
"summary": "DSA-4527",
"url": "https://www.debian.org/security/2019/dsa-4527"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "openSUSE-SU-2019:2271",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00019.html"
},
{
"summary": "20191008 APPLE-SA-2019-10-07-1 macOS Catalina 10.15",
"url": "https://seclists.org/bugtraq/2019/Oct/9"
},
{
"summary": "20191008 APPLE-SA-2019-10-07-1 macOS Catalina 10.15",
"url": "http://seclists.org/fulldisclosure/2019/Oct/15"
},
{
"summary": "20191031 APPLE-SA-2019-10-29-10 Additional information for APPLE-SA-2019-10-07-1 macOS Catalina 10.15",
"url": "http://seclists.org/fulldisclosure/2019/Oct/55"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11042"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11042"
},
{
"cve": "CVE-2022-27385",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27385"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27385"
},
{
"cve": "CVE-2020-7059",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"summary": "USN-4279-1",
"url": "https://usn.ubuntu.com/4279-1/"
},
{
"summary": "DSA-4628",
"url": "https://www.debian.org/security/2020/dsa-4628"
},
{
"summary": "20200219 [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/31"
},
{
"summary": "[debian-lts-announce] 20200228 [SECURITY] [DLA 2124-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html"
},
{
"summary": "openSUSE-SU-2020:0341",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html"
},
{
"summary": "GLSA-202003-57",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"summary": "20210116 Re: [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2021/Jan/3"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7059"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7059"
},
{
"cve": "CVE-2020-7070",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2020-4573f0e03a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/"
},
{
"summary": "[debian-lts-announce] 20201006 [SECURITY] [DLA 2397-1] php7.0 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00008.html"
},
{
"summary": "FEDORA-2020-4fe6b116e5",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/"
},
{
"summary": "FEDORA-2020-94763cb98b",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/"
},
{
"summary": "openSUSE-SU-2020:1703",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html"
},
{
"summary": "USN-4583-1",
"url": "https://usn.ubuntu.com/4583-1/"
},
{
"summary": "openSUSE-SU-2020:1767",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html"
},
{
"summary": "GLSA-202012-16",
"url": "https://security.gentoo.org/glsa/202012-16"
},
{
"summary": "DSA-4856",
"url": "https://www.debian.org/security/2021/dsa-4856"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7070"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7070"
},
{
"cve": "CVE-2022-32091",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"summary": "FEDORA-2022-cf88f807f9",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHISY4YVO4S5QJYYIXCIAXBM7INOL4VY/"
},
{
"summary": "FEDORA-2022-e0e9a43546",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WCOEGSVMIEXDZHBOSV6WVF7FAVRBR2JE/"
},
{
"summary": "FEDORA-2022-333df1c4aa",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVAONAZXJFGHAJ4RP2OF3EAMQCOTDSQ/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32091"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32091"
},
{
"cve": "CVE-2015-2348",
"cwe": {
"id": "CWE-626",
"name": "Null Byte Interaction Error (Poison Null Byte)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \\x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "HPSBMU03409",
"url": "http://marc.info/?l=bugtraq\u0026m=144050155601375\u0026w=2"
},
{
"summary": "APPLE-SA-2015-09-30-3",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html"
},
{
"summary": "HPSBMU03380",
"url": "http://marc.info/?l=bugtraq\u0026m=143748090628601\u0026w=2"
},
{
"summary": "SUSE-SU-2015:0868",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html"
},
{
"summary": "1032484",
"url": "http://www.securitytracker.com/id/1032484"
},
{
"summary": "73434",
"url": "http://www.securityfocus.com/bid/73434"
},
{
"summary": "USN-2572-1",
"url": "http://www.ubuntu.com/usn/USN-2572-1"
},
{
"summary": "RHSA-2015:1135",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1135.html"
},
{
"summary": "RHSA-2015:1053",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1053.html"
},
{
"summary": "openSUSE-SU-2015:0684",
"url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00015.html"
},
{
"summary": "GLSA-201606-10",
"url": "https://security.gentoo.org/glsa/201606-10"
},
{
"summary": "RHSA-2015:1066",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1066.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2348"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/626.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2015-2348"
},
{
"cve": "CVE-2019-9020",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-3902-2",
"url": "https://usn.ubuntu.com/3902-2/"
},
{
"summary": "DSA-4398",
"url": "https://www.debian.org/security/2019/dsa-4398"
},
{
"summary": "USN-3902-1",
"url": "https://usn.ubuntu.com/3902-1/"
},
{
"summary": "107156",
"url": "http://www.securityfocus.com/bid/107156"
},
{
"summary": "openSUSE-SU-2019:1256",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9020"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9020"
},
{
"cve": "CVE-2021-35604",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-70dd0b9f5d",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5MLAXYFLUDC636S46X34USCLDZAOFBM2/"
},
{
"summary": "FEDORA-2021-46dc82116b",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XF3ZFPL3JJ26YRUGXLXQZYJBLZV3WC2C/"
},
{
"summary": "FEDORA-2021-f74148c6d4",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRCU3RTIPVKPC3GMC76YW7DJEXUEY6FG/"
},
{
"summary": "FEDORA-2021-acef1dc8cf",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UTW5KMPPDKIMGB4ULE2HS22HYLVKYIH/"
},
{
"summary": "FEDORA-2021-72d5918529",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VGR5ZTB5QEDRRC6G5U6TFNCIVBBKGS5J/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35604"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-35604"
},
{
"cve": "CVE-2022-27444",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27444"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27444"
},
{
"cve": "CVE-2018-14883",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "104871",
"url": "http://www.securityfocus.com/bid/104871"
},
{
"summary": "USN-3766-1",
"url": "https://usn.ubuntu.com/3766-1/"
},
{
"summary": "DSA-4353",
"url": "https://www.debian.org/security/2018/dsa-4353"
},
{
"summary": "[debian-lts-announce] 20180901 [SECURITY] [DLA 1490-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00000.html"
},
{
"summary": "USN-3766-2",
"url": "https://usn.ubuntu.com/3766-2/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14883"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2018-14883"
},
{
"cve": "CVE-2014-9705",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-3195",
"url": "http://www.debian.org/security/2015/dsa-3195"
},
{
"summary": "USN-2535-1",
"url": "http://www.ubuntu.com/usn/USN-2535-1"
},
{
"summary": "HPSBMU03409",
"url": "http://marc.info/?l=bugtraq\u0026m=144050155601375\u0026w=2"
},
{
"summary": "openSUSE-SU-2015:0644",
"url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html"
},
{
"summary": "APPLE-SA-2015-09-30-3",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html"
},
{
"summary": "HPSBMU03380",
"url": "http://marc.info/?l=bugtraq\u0026m=143748090628601\u0026w=2"
},
{
"summary": "MDVSA-2015:079",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:079"
},
{
"summary": "SUSE-SU-2015:0868",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html"
},
{
"summary": "RHSA-2015:1135",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1135.html"
},
{
"summary": "RHSA-2015:1053",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1053.html"
},
{
"summary": "[oss-security] 20150315 Re: CVE Request: PHP 5.6.6 changelog",
"url": "http://openwall.com/lists/oss-security/2015/03/15/6"
},
{
"summary": "73031",
"url": "http://www.securityfocus.com/bid/73031"
},
{
"summary": "1031948",
"url": "http://www.securitytracker.com/id/1031948"
},
{
"summary": "GLSA-201606-10",
"url": "https://security.gentoo.org/glsa/201606-10"
},
{
"summary": "RHSA-2015:1066",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1066.html"
},
{
"summary": "RHSA-2015:1218",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1218.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9705"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2014-9705"
},
{
"cve": "CVE-2020-7064",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20200426 [SECURITY] [DLA 2188-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html"
},
{
"summary": "USN-4330-1",
"url": "https://usn.ubuntu.com/4330-1/"
},
{
"summary": "USN-4330-2",
"url": "https://usn.ubuntu.com/4330-2/"
},
{
"summary": "openSUSE-SU-2020:0642",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html"
},
{
"summary": "DSA-4717",
"url": "https://www.debian.org/security/2020/dsa-4717"
},
{
"summary": "DSA-4719",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7064"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7064"
},
{
"cve": "CVE-2022-27382",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27382"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27382"
},
{
"cve": "CVE-2020-7063",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "openSUSE-SU-2020:0341",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html"
},
{
"summary": "GLSA-202003-57",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"summary": "[debian-lts-announce] 20200326 [SECURITY] [DLA 2160-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html"
},
{
"summary": "USN-4330-1",
"url": "https://usn.ubuntu.com/4330-1/"
},
{
"summary": "DSA-4717",
"url": "https://www.debian.org/security/2020/dsa-4717"
},
{
"summary": "DSA-4719",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7063"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/281.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7063"
},
{
"cve": "CVE-2021-2372",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-dc4299a8d0",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6OO2Q5PIFURXLLKCIJE6XF6VL4LLMNO5/"
},
{
"summary": "FEDORA-2021-df40c41094",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPJAGVMRKODR4QIXQSVEM4BLRZUM7P3R/"
},
{
"summary": "FEDORA-2021-acef1dc8cf",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UTW5KMPPDKIMGB4ULE2HS22HYLVKYIH/"
},
{
"summary": "FEDORA-2021-72d5918529",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VGR5ZTB5QEDRRC6G5U6TFNCIVBBKGS5J/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2372"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2372"
},
{
"cve": "CVE-2019-9021",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-3902-2",
"url": "https://usn.ubuntu.com/3902-2/"
},
{
"summary": "DSA-4398",
"url": "https://www.debian.org/security/2019/dsa-4398"
},
{
"summary": "USN-3902-1",
"url": "https://usn.ubuntu.com/3902-1/"
},
{
"summary": "107156",
"url": "http://www.securityfocus.com/bid/107156"
},
{
"summary": "106747",
"url": "http://www.securityfocus.com/bid/106747"
},
{
"summary": "openSUSE-SU-2019:1256",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9021"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9021"
},
{
"cve": "CVE-2018-14851",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "104871",
"url": "http://www.securityfocus.com/bid/104871"
},
{
"summary": "USN-3766-1",
"url": "https://usn.ubuntu.com/3766-1/"
},
{
"summary": "DSA-4353",
"url": "https://www.debian.org/security/2018/dsa-4353"
},
{
"summary": "[debian-lts-announce] 20180901 [SECURITY] [DLA 1490-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00000.html"
},
{
"summary": "USN-3766-2",
"url": "https://usn.ubuntu.com/3766-2/"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14851"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2018-14851"
},
{
"cve": "CVE-2022-27448",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "There is an Assertion failure in MariaDB Server v10.9 and below via \u0027node-\u003epcur-\u003erel_pos == BTR_PCUR_ON\u0027 at /row/row0mysql.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27448"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27448"
},
{
"cve": "CVE-2021-46663",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-263f7cc483",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO/"
},
{
"summary": "FEDORA-2022-03350936ee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD/"
},
{
"summary": "FEDORA-2022-5cfe372ab7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46663"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46663"
},
{
"cve": "CVE-2021-2180",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-01189f6361",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKV7TRUEQW6EV45RSZVVFLVQMNHVHBCJ/"
},
{
"summary": "FEDORA-2021-5b6c69a73a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJVUTKKFQAWR7NURCQHQQ5JHTVYGEOYQ/"
},
{
"summary": "FEDORA-2021-b8b7829a83",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJQRPXNDH6YHQLUSCS5VA7DAW32PN7N7/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"summary": "GLSA-202105-28",
"url": "https://security.gentoo.org/glsa/202105-28"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2180"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2180"
},
{
"cve": "CVE-2014-9709",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "MDVSA-2015:153",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:153"
},
{
"summary": "1033703",
"url": "http://www.securitytracker.com/id/1033703"
},
{
"summary": "openSUSE-SU-2015:0644",
"url": "http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html"
},
{
"summary": "APPLE-SA-2015-09-30-3",
"url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html"
},
{
"summary": "SSRT102066",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"summary": "DSA-3215",
"url": "http://www.debian.org/security/2015/dsa-3215"
},
{
"summary": "SUSE-SU-2015:0868",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html"
},
{
"summary": "GLSA-201607-04",
"url": "https://security.gentoo.org/glsa/201607-04"
},
{
"summary": "USN-2987-1",
"url": "http://www.ubuntu.com/usn/USN-2987-1"
},
{
"summary": "73306",
"url": "http://www.securityfocus.com/bid/73306"
},
{
"summary": "RHSA-2015:1135",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1135.html"
},
{
"summary": "RHSA-2015:1053",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1053.html"
},
{
"summary": "HPSBUX03337",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"summary": "GLSA-201606-10",
"url": "https://security.gentoo.org/glsa/201606-10"
},
{
"summary": "RHSA-2015:1066",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1066.html"
},
{
"summary": "RHSA-2015:1218",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1218.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9709"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2014-9709"
},
{
"cve": "CVE-2023-25690",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like: RewriteEngine on\nRewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P]\nProxyPassReverse /here/ http://example.com:8080/Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25690"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/444.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-25690"
},
{
"cve": "CVE-2022-32082",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table-\u003eget_ref_count() == 0 in dict0dict.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-cf88f807f9",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHISY4YVO4S5QJYYIXCIAXBM7INOL4VY/"
},
{
"summary": "FEDORA-2022-e0e9a43546",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WCOEGSVMIEXDZHBOSV6WVF7FAVRBR2JE/"
},
{
"summary": "FEDORA-2022-333df1c4aa",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVAONAZXJFGHAJ4RP2OF3EAMQCOTDSQ/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32082"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32082"
},
{
"cve": "CVE-2022-31629",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim\u0027s browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-0b77fbd9e7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"
},
{
"summary": "FEDORA-2022-afdea1c747",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"
},
{
"summary": "FEDORA-2022-f204e1d0ed",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"
},
{
"summary": "DSA-5277",
"url": "https://www.debian.org/security/2022/dsa-5277"
},
{
"summary": "GLSA-202211-03",
"url": "https://security.gentoo.org/glsa/202211-03"
},
{
"summary": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31629"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-31629"
},
{
"cve": "CVE-2019-9022",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4398",
"url": "https://www.debian.org/security/2019/dsa-4398"
},
{
"summary": "USN-3902-1",
"url": "https://usn.ubuntu.com/3902-1/"
},
{
"summary": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"summary": "USN-3922-2",
"url": "https://usn.ubuntu.com/3922-2/"
},
{
"summary": "USN-3922-3",
"url": "https://usn.ubuntu.com/3922-3/"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9022"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9022"
},
{
"cve": "CVE-2016-3078",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[oss-security] 20160428 CVE-2016-3078: php: integer overflow in ZipArchive::getFrom*",
"url": "http://www.openwall.com/lists/oss-security/2016/04/28/1"
},
{
"summary": "39742",
"url": "https://www.exploit-db.com/exploits/39742/"
},
{
"summary": "1035701",
"url": "http://www.securitytracker.com/id/1035701"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-3078"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/190.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2016-3078"
},
{
"cve": "CVE-2023-0662",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0662"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-0662"
},
{
"cve": "CVE-2021-2022",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-db50ab62d3",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T7EAHJPWOOF4D6PEFLXW5IQWRRSZ3HRC/"
},
{
"summary": "FEDORA-2021-b1d1655cef",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CS5THZSGI7O2CZO44NWYE57AG2T7NK3K/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2022"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2022"
},
{
"cve": "CVE-2022-32089",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-cf88f807f9",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHISY4YVO4S5QJYYIXCIAXBM7INOL4VY/"
},
{
"summary": "FEDORA-2022-e0e9a43546",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WCOEGSVMIEXDZHBOSV6WVF7FAVRBR2JE/"
},
{
"summary": "FEDORA-2022-333df1c4aa",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVAONAZXJFGHAJ4RP2OF3EAMQCOTDSQ/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32089"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32089"
},
{
"cve": "CVE-2019-11048",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2020-8838d072d5",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/"
},
{
"summary": "FEDORA-2020-9fa7f4e25c",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/"
},
{
"summary": "USN-4375-1",
"url": "https://usn.ubuntu.com/4375-1/"
},
{
"summary": "openSUSE-SU-2020:0847",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html"
},
{
"summary": "[debian-lts-announce] 20200629 [SECURITY] [DLA 2261-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html"
},
{
"summary": "DSA-4717",
"url": "https://www.debian.org/security/2020/dsa-4717"
},
{
"summary": "DSA-4719",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11048"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11048"
},
{
"cve": "CVE-2021-46669",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-25dcba7104",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRJCSPQHYPKTWXXZVDMY6JAHZJQ4TZ5X/"
},
{
"summary": "FEDORA-2022-e6dc7ed871",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KHEOTQ63YWC3PGHGDFGS7AZIEXCGOPWH/"
},
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46669"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46669"
},
{
"cve": "CVE-2019-11047",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20191229 [SECURITY] [DLA 2050-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html"
},
{
"summary": "FEDORA-2019-437d94e271",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
},
{
"summary": "FEDORA-2019-a54a622670",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
},
{
"summary": "USN-4239-1",
"url": "https://usn.ubuntu.com/4239-1/"
},
{
"summary": "openSUSE-SU-2020:0080",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html"
},
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"summary": "DSA-4628",
"url": "https://www.debian.org/security/2020/dsa-4628"
},
{
"summary": "20200219 [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/31"
},
{
"summary": "20210116 Re: [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2021/Jan/3"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11047"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11047"
},
{
"cve": "CVE-2022-27383",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27383"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27383"
},
{
"cve": "CVE-2021-46667",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-263f7cc483",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO/"
},
{
"summary": "FEDORA-2022-03350936ee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD/"
},
{
"summary": "FEDORA-2022-5cfe372ab7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46667"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/190.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46667"
},
{
"cve": "CVE-2022-32087",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32087"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32087"
},
{
"cve": "CVE-2022-36760",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36760"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/444.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-36760"
},
{
"cve": "CVE-2020-7060",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"summary": "USN-4279-1",
"url": "https://usn.ubuntu.com/4279-1/"
},
{
"summary": "DSA-4628",
"url": "https://www.debian.org/security/2020/dsa-4628"
},
{
"summary": "20200219 [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/31"
},
{
"summary": "[debian-lts-announce] 20200228 [SECURITY] [DLA 2124-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html"
},
{
"summary": "openSUSE-SU-2020:0341",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html"
},
{
"summary": "GLSA-202003-57",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"summary": "20210116 Re: [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2021/Jan/3"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7060"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7060"
},
{
"cve": "CVE-2018-17082",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a \"Transfer-Encoding: chunked\" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4353",
"url": "https://www.debian.org/security/2018/dsa-4353"
},
{
"summary": "[debian-lts-announce] 20180920 [SECURITY] [DLA 1509-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00020.html"
},
{
"summary": "GLSA-201812-01",
"url": "https://security.gentoo.org/glsa/201812-01"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17082"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2018-17082"
},
{
"cve": "CVE-2019-9640",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4403",
"url": "https://www.debian.org/security/2019/dsa-4403"
},
{
"summary": "USN-3922-1",
"url": "https://usn.ubuntu.com/3922-1/"
},
{
"summary": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"summary": "USN-3922-2",
"url": "https://usn.ubuntu.com/3922-2/"
},
{
"summary": "USN-3922-3",
"url": "https://usn.ubuntu.com/3922-3/"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9640"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9640"
},
{
"cve": "CVE-2021-46661",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-263f7cc483",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO/"
},
{
"summary": "FEDORA-2022-03350936ee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD/"
},
{
"summary": "FEDORA-2022-5cfe372ab7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46661"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46661"
},
{
"cve": "CVE-2019-11034",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-3953-1",
"url": "https://usn.ubuntu.com/3953-1/"
},
{
"summary": "USN-3953-2",
"url": "https://usn.ubuntu.com/3953-2/"
},
{
"summary": "[debian-lts-announce] 20190525 [SECURITY] [DLA 1803-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html"
},
{
"summary": "openSUSE-SU-2019:1501",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html"
},
{
"summary": "openSUSE-SU-2019:1503",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11034"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11034"
},
{
"cve": "CVE-2022-27456",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27456"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27456"
},
{
"cve": "CVE-2020-7061",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "GLSA-202003-57",
"url": "https://security.gentoo.org/glsa/202003-57"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7061"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7061"
},
{
"cve": "CVE-2022-27455",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27455"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27455"
},
{
"cve": "CVE-2021-2144",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2144"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2144"
},
{
"cve": "CVE-2021-2154",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-68db93b130",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPA3CTGXPVWKHMCQDVURK4ETH7GE34KK/"
},
{
"summary": "FEDORA-2021-27187ac9dd",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GAU7KW36A6TQGKG3RUITYSVUFIHBY3OT/"
},
{
"summary": "FEDORA-2021-179f2fbb88",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEF5CRATUGQZUSQU63MHQIDZPOLHW2VE/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"summary": "GLSA-202105-28",
"url": "https://security.gentoo.org/glsa/202105-28"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2154"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2154"
},
{
"cve": "CVE-2022-21595",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21595"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-21595"
},
{
"cve": "CVE-2019-11040",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "openSUSE-SU-2019:1778",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00029.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "20190920 [SECURITY] [DSA 4527-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/35"
},
{
"summary": "DSA-4527",
"url": "https://www.debian.org/security/2019/dsa-4527"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11040"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11040"
},
{
"cve": "CVE-2021-2389",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-acef1dc8cf",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UTW5KMPPDKIMGB4ULE2HS22HYLVKYIH/"
},
{
"summary": "FEDORA-2021-72d5918529",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VGR5ZTB5QEDRRC6G5U6TFNCIVBBKGS5J/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2389"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2389"
},
{
"cve": "CVE-2023-27522",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27522"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/444.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-27522"
},
{
"cve": "CVE-2020-2812",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-4350-1",
"url": "https://usn.ubuntu.com/4350-1/"
},
{
"summary": "FEDORA-2020-20ac7c92a1",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSVLI36TYRTPQGCS24VZQUXCUFOUW4VQ/"
},
{
"summary": "FEDORA-2020-136dc82437",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDGBQYS3A36S4CAZPV5YROHYXYZR6LAH/"
},
{
"summary": "FEDORA-2020-261c9ddd7c",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77REFDB7DE4WNKQIRGZTF53RFBQOXQLC/"
},
{
"summary": "FEDORA-2020-35f52d9370",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW2ED32VEUHXFN2J3YQE27JIBV4SC2PI/"
},
{
"summary": "openSUSE-SU-2020:0870",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00054.html"
},
{
"summary": "FEDORA-2020-ac2d47d89a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4X2BMF3EILMTXGOZDTPYS3KT5VWLA2P/"
},
{
"summary": "GLSA-202012-08",
"url": "https://security.gentoo.org/glsa/202012-08"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2812"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-2812"
},
{
"cve": "CVE-2021-46665",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-263f7cc483",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO/"
},
{
"summary": "FEDORA-2022-03350936ee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD/"
},
{
"summary": "FEDORA-2022-5cfe372ab7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46665"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46665"
},
{
"cve": "CVE-2022-32086",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32086"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32086"
},
{
"cve": "CVE-2022-32085",
"cwe": {
"id": "CWE-229",
"name": "Improper Handling of Values"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32085"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/229.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32085"
},
{
"cve": "CVE-2021-21704",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "GLSA-202209-20",
"url": "https://security.gentoo.org/glsa/202209-20"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21704"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21704"
},
{
"cve": "CVE-2020-7066",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20200426 [SECURITY] [DLA 2188-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html"
},
{
"summary": "USN-4330-2",
"url": "https://usn.ubuntu.com/4330-2/"
},
{
"summary": "openSUSE-SU-2020:0642",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html"
},
{
"summary": "DSA-4717",
"url": "https://www.debian.org/security/2020/dsa-4717"
},
{
"summary": "DSA-4719",
"url": "https://www.debian.org/security/2020/dsa-4719"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7066"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/170.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-7066"
},
{
"cve": "CVE-2022-31628",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress \"quines\" gzip files, resulting in an infinite loop.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-0b77fbd9e7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/"
},
{
"summary": "FEDORA-2022-afdea1c747",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/"
},
{
"summary": "FEDORA-2022-f204e1d0ed",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/"
},
{
"summary": "DSA-5277",
"url": "https://www.debian.org/security/2022/dsa-5277"
},
{
"summary": "GLSA-202211-03",
"url": "https://security.gentoo.org/glsa/202211-03"
},
{
"summary": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31628"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/674.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-31628"
},
{
"cve": "CVE-2021-46662",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46662"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46662"
},
{
"cve": "CVE-2016-5385",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(\u0027HTTP_PROXY\u0027) call or (2) a CGI configuration of PHP, aka an \"httpoxy\" issue.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2016-8eb11666aa",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/"
},
{
"summary": "VU#797896",
"url": "http://www.kb.cert.org/vuls/id/797896"
},
{
"summary": "GLSA-201611-22",
"url": "https://security.gentoo.org/glsa/201611-22"
},
{
"summary": "openSUSE-SU-2016:1922",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html"
},
{
"summary": "RHSA-2016:1613",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1613.html"
},
{
"summary": "RHSA-2016:1611",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1611.html"
},
{
"summary": "RHSA-2016:1610",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1610.html"
},
{
"summary": "DSA-3631",
"url": "http://www.debian.org/security/2016/dsa-3631"
},
{
"summary": "91821",
"url": "http://www.securityfocus.com/bid/91821"
},
{
"summary": "FEDORA-2016-4e7db3d437",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/"
},
{
"summary": "RHSA-2016:1609",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1609.html"
},
{
"summary": "1036335",
"url": "http://www.securitytracker.com/id/1036335"
},
{
"summary": "RHSA-2016:1612",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1612.html"
},
{
"summary": "FEDORA-2016-9c8cf5912c",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-5385"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/601.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2016-5385"
},
{
"cve": "CVE-2022-37436",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37436"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/113.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-37436"
},
{
"cve": "CVE-2013-6501",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "SUSE-SU-2015:0436",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html"
},
{
"summary": "72530",
"url": "http://www.securityfocus.com/bid/72530"
},
{
"summary": "GLSA-201606-10",
"url": "https://security.gentoo.org/glsa/201606-10"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6501"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/74.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2013-6501"
},
{
"cve": "CVE-2021-21702",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4856",
"url": "https://www.debian.org/security/2021/dsa-4856"
},
{
"summary": "GLSA-202105-23",
"url": "https://security.gentoo.org/glsa/202105-23"
},
{
"summary": "[debian-lts-announce] 20210715 [SECURITY] [DLA 2708-1] php7.0 security update",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21702"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/476.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21702"
},
{
"cve": "CVE-2019-9024",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-3902-2",
"url": "https://usn.ubuntu.com/3902-2/"
},
{
"summary": "DSA-4398",
"url": "https://www.debian.org/security/2019/dsa-4398"
},
{
"summary": "USN-3902-1",
"url": "https://usn.ubuntu.com/3902-1/"
},
{
"summary": "107156",
"url": "http://www.securityfocus.com/bid/107156"
},
{
"summary": "openSUSE-SU-2019:1256",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9024"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9024"
},
{
"cve": "CVE-2019-9023",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-3902-2",
"url": "https://usn.ubuntu.com/3902-2/"
},
{
"summary": "DSA-4398",
"url": "https://www.debian.org/security/2019/dsa-4398"
},
{
"summary": "USN-3902-1",
"url": "https://usn.ubuntu.com/3902-1/"
},
{
"summary": "107156",
"url": "http://www.securityfocus.com/bid/107156"
},
{
"summary": "openSUSE-SU-2019:1256",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"summary": "RHSA-2019:2519",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9023"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9023"
},
{
"cve": "CVE-2022-27449",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27449"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/617.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27449"
},
{
"cve": "CVE-2021-46664",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-263f7cc483",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ4KDAGF3H4D4BDTHRAM6ZEAJJWWMRUO/"
},
{
"summary": "FEDORA-2022-03350936ee",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKJRBYJAQCOPHSED43A3HUPNKQLDTFGD/"
},
{
"summary": "FEDORA-2022-5cfe372ab7",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZFZVMJL5UDTOZMARLXQIMG3BTG6UNYW/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46664"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/476.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-46664"
},
{
"cve": "CVE-2019-11050",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20191229 [SECURITY] [DLA 2050-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html"
},
{
"summary": "FEDORA-2019-437d94e271",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/"
},
{
"summary": "FEDORA-2019-a54a622670",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/"
},
{
"summary": "USN-4239-1",
"url": "https://usn.ubuntu.com/4239-1/"
},
{
"summary": "openSUSE-SU-2020:0080",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html"
},
{
"summary": "20200218 [SECURITY] [DSA 4626-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/27"
},
{
"summary": "DSA-4626",
"url": "https://www.debian.org/security/2020/dsa-4626"
},
{
"summary": "DSA-4628",
"url": "https://www.debian.org/security/2020/dsa-4628"
},
{
"summary": "20200219 [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2020/Feb/31"
},
{
"summary": "20210116 Re: [SECURITY] [DSA 4628-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2021/Jan/3"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11050"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11050"
},
{
"cve": "CVE-2021-21708",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "GLSA-202209-20",
"url": "https://security.gentoo.org/glsa/202209-20"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21708"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21708"
},
{
"cve": "CVE-2022-31625",
"cwe": {
"id": "CWE-590",
"name": "Free of Memory not on the Heap"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-0a96e5b9b1",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZTZQKRGEYJT5UB4FGG3MOE72SQUHSL4/"
},
{
"summary": "FEDORA-2022-f3fc52428e",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3T4MMEEZYYAEHPQMZDFN44PHORJWJFZQ/"
},
{
"summary": "DSA-5179",
"url": "https://www.debian.org/security/2022/dsa-5179"
},
{
"summary": "GLSA-202209-20",
"url": "https://security.gentoo.org/glsa/202209-20"
},
{
"summary": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31625"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/590.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-31625"
},
{
"cve": "CVE-2022-32081",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2022-cf88f807f9",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZHISY4YVO4S5QJYYIXCIAXBM7INOL4VY/"
},
{
"summary": "FEDORA-2022-e0e9a43546",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WCOEGSVMIEXDZHBOSV6WVF7FAVRBR2JE/"
},
{
"summary": "FEDORA-2022-333df1c4aa",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVAONAZXJFGHAJ4RP2OF3EAMQCOTDSQ/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32081"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-32081"
},
{
"cve": "CVE-2022-27378",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27378"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27378"
},
{
"cve": "CVE-2006-20001",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-20001"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2006-20001"
},
{
"cve": "CVE-2018-19935",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4353",
"url": "https://www.debian.org/security/2018/dsa-4353"
},
{
"summary": "106143",
"url": "http://www.securityfocus.com/bid/106143"
},
{
"summary": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1608-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19935"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/476.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2018-19935"
},
{
"cve": "CVE-2022-4900",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "RHBZ#2179880",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179880"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4900"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-4900"
},
{
"cve": "CVE-2018-12882",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "104551",
"url": "http://www.securityfocus.com/bid/104551"
},
{
"summary": "USN-3702-2",
"url": "https://usn.ubuntu.com/3702-2/"
},
{
"summary": "USN-3702-1",
"url": "https://usn.ubuntu.com/3702-1/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12882"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/416.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2018-12882"
},
{
"cve": "CVE-2019-9641",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-4403",
"url": "https://www.debian.org/security/2019/dsa-4403"
},
{
"summary": "USN-3922-1",
"url": "https://usn.ubuntu.com/3922-1/"
},
{
"summary": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1741-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"summary": "USN-3922-2",
"url": "https://usn.ubuntu.com/3922-2/"
},
{
"summary": "openSUSE-SU-2019:1256",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html"
},
{
"summary": "USN-3922-3",
"url": "https://usn.ubuntu.com/3922-3/"
},
{
"summary": "openSUSE-SU-2019:1293",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"summary": "openSUSE-SU-2019:1572",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"summary": "openSUSE-SU-2019:1573",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9641"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/908.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-9641"
},
{
"cve": "CVE-2022-27380",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27380"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27380"
},
{
"cve": "CVE-2022-27381",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27381"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27381"
},
{
"cve": "CVE-2021-21707",
"cwe": {
"id": "CWE-159",
"name": "Improper Handling of Invalid Use of Special Elements"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "DSA-5082",
"url": "https://www.debian.org/security/2022/dsa-5082"
},
{
"summary": "[debian-lts-announce] 20221215 [SECURITY] [DLA 3243-1] php7.3 security update",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21707"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/159.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-21707"
},
{
"cve": "CVE-2022-27451",
"cwe": {
"id": "CWE-1173",
"name": "Improper Use of Validation Framework"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/field_conv.cc.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27451"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/1173.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-27451"
},
{
"cve": "CVE-2020-2780",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "USN-4350-1",
"url": "https://usn.ubuntu.com/4350-1/"
},
{
"summary": "FEDORA-2020-20ac7c92a1",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSVLI36TYRTPQGCS24VZQUXCUFOUW4VQ/"
},
{
"summary": "FEDORA-2020-136dc82437",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SDGBQYS3A36S4CAZPV5YROHYXYZR6LAH/"
},
{
"summary": "FEDORA-2020-261c9ddd7c",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77REFDB7DE4WNKQIRGZTF53RFBQOXQLC/"
},
{
"summary": "FEDORA-2020-ac2d47d89a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4X2BMF3EILMTXGOZDTPYS3KT5VWLA2P/"
},
{
"summary": "GLSA-202105-27",
"url": "https://security.gentoo.org/glsa/202105-27"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2780"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2020-2780"
},
{
"cve": "CVE-2019-11041",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "[debian-lts-announce] 20190812 [SECURITY] [DLA 1878-1] php5 security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00010.html"
},
{
"summary": "USN-4097-2",
"url": "https://usn.ubuntu.com/4097-2/"
},
{
"summary": "USN-4097-1",
"url": "https://usn.ubuntu.com/4097-1/"
},
{
"summary": "20190920 [SECURITY] [DSA 4527-1] php7.3 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/35"
},
{
"summary": "DSA-4527",
"url": "https://www.debian.org/security/2019/dsa-4527"
},
{
"summary": "DSA-4529",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"summary": "20190923 [SECURITY] [DSA 4529-1] php7.0 security update",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"summary": "openSUSE-SU-2019:2271",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00019.html"
},
{
"summary": "20191008 APPLE-SA-2019-10-07-1 macOS Catalina 10.15",
"url": "https://seclists.org/bugtraq/2019/Oct/9"
},
{
"summary": "20191008 APPLE-SA-2019-10-07-1 macOS Catalina 10.15",
"url": "http://seclists.org/fulldisclosure/2019/Oct/15"
},
{
"summary": "20191031 APPLE-SA-2019-10-29-10 Additional information for APPLE-SA-2019-10-07-1 macOS Catalina 10.15",
"url": "http://seclists.org/fulldisclosure/2019/Oct/55"
},
{
"summary": "RHSA-2019:3299",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11041"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2019-11041"
},
{
"cve": "CVE-2021-2174",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "FEDORA-2021-01189f6361",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKV7TRUEQW6EV45RSZVVFLVQMNHVHBCJ/"
},
{
"summary": "FEDORA-2021-5b6c69a73a",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJVUTKKFQAWR7NURCQHQQ5JHTVYGEOYQ/"
},
{
"summary": "FEDORA-2021-b8b7829a83",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJQRPXNDH6YHQLUSCS5VA7DAW32PN7N7/"
},
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2174"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-26T10:00:00.000000Z",
"details": "Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at services.didactic@festo.com to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.",
"product_ids": [
"CSAFPID-0001"
],
"restart_required": {
"category": "vulnerable_component"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-2174"
}
]
}
WID-SEC-W-2022-0247
Vulnerability from csaf_certbund - Published: 2022-01-23 23:00 - Updated: 2023-11-26 23:00Summary
phpMyAdmin: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
phpMyAdmin ist eine in PHP geschriebene Web-Oberfläche zur Administration von MySQL Datenbanken.
Angriff
Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in phpMyAdmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Cross Site Scripting Angriff durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "phpMyAdmin ist eine in PHP geschriebene Web-Oberfl\u00e4che zur Administration von MySQL Datenbanken.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in phpMyAdmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Cross Site Scripting Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0247 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0247.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0247 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0247"
},
{
"category": "external",
"summary": "Gentoo Linux Security Advisory GLSA-202311-17 vom 2023-11-26",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"category": "external",
"summary": "phpMyAdmin Security Announcement vom 2022-01-23",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1/"
},
{
"category": "external",
"summary": "phpMyAdmin Security Announcement vom 2022-01-23",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"category": "external",
"summary": "PoC CVE-2022-23808 vom 2022-06-09",
"url": "https://github.com/Trhackno/CVE-2022-23808"
}
],
"source_lang": "en-US",
"title": "phpMyAdmin: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-11-26T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:27:37.685+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-0247",
"initial_release_date": "2022-01-23T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-01-23T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-01-24T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: FEDORA-2022-914FA8641A, FEDORA-2022-3544C7D20E"
},
{
"date": "2022-06-09T22:00:00.000+00:00",
"number": "3",
"summary": "PoC f\u00fcr CVE-2022-23808 aufgenommen"
},
{
"date": "2023-11-26T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Gentoo aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Gentoo Linux",
"product": {
"name": "Gentoo Linux",
"product_id": "T012167",
"product_identification_helper": {
"cpe": "cpe:/o:gentoo:linux:-"
}
}
}
],
"category": "vendor",
"name": "Gentoo"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source phpMyAdmin \u003c 5.1.2",
"product": {
"name": "Open Source phpMyAdmin \u003c 5.1.2",
"product_id": "T021796",
"product_identification_helper": {
"cpe": "cpe:/a:phpmyadmin:phpmyadmin:5.1.2"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23807",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in phpMyAdmin. Ein berechtigter Nutzer kann durch eine Reihe von Aktionen die Zwei-Faktor-Authentifizierung f\u00fcr dieses Konto deaktivieren. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T012167"
]
},
"release_date": "2022-01-23T23:00:00.000+00:00",
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"notes": [
{
"category": "description",
"text": "In phpMyAdmin existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T012167"
]
},
"release_date": "2022-01-23T23:00:00.000+00:00",
"title": "CVE-2022-23808"
}
]
}
CNVD-2022-08031
Vulnerability from cnvd - Published: 2022-02-01
VLAI Severity ?
Title
phpMyAdmin跨站脚本漏洞(CNVD-2022-08031)
Description
phpMyAdmin是Phpmyadmin团队的一套免费的、基于Web的MySQL数据库管理工具。该工具能够创建和删除数据库,创建、删除、修改数据库表,执行SQL脚本命令等。
phpMyAdmin存在跨站脚本漏洞,该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
Severity
中
Patch Name
phpMyAdmin跨站脚本漏洞(CNVD-2022-08031)的补丁
Patch Description
phpMyAdmin是Phpmyadmin团队的一套免费的、基于Web的MySQL数据库管理工具。该工具能够创建和删除数据库,创建、删除、修改数据库表,执行SQL脚本命令等。
phpMyAdmin存在跨站脚本漏洞,该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://www.phpmyadmin.net/security/PMASA-2022-2/
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-23808
Impacted products
| Name | phpMyAdmin phpMyAdmin >=5.1.0,<5.1.2 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-23808"
}
},
"description": "phpMyAdmin\u662fPhpmyadmin\u56e2\u961f\u7684\u4e00\u5957\u514d\u8d39\u7684\u3001\u57fa\u4e8eWeb\u7684MySQL\u6570\u636e\u5e93\u7ba1\u7406\u5de5\u5177\u3002\u8be5\u5de5\u5177\u80fd\u591f\u521b\u5efa\u548c\u5220\u9664\u6570\u636e\u5e93\uff0c\u521b\u5efa\u3001\u5220\u9664\u3001\u4fee\u6539\u6570\u636e\u5e93\u8868\uff0c\u6267\u884cSQL\u811a\u672c\u547d\u4ee4\u7b49\u3002\n\nphpMyAdmin\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.phpmyadmin.net/security/PMASA-2022-2/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-08031",
"openTime": "2022-02-01",
"patchDescription": "phpMyAdmin\u662fPhpmyadmin\u56e2\u961f\u7684\u4e00\u5957\u514d\u8d39\u7684\u3001\u57fa\u4e8eWeb\u7684MySQL\u6570\u636e\u5e93\u7ba1\u7406\u5de5\u5177\u3002\u8be5\u5de5\u5177\u80fd\u591f\u521b\u5efa\u548c\u5220\u9664\u6570\u636e\u5e93\uff0c\u521b\u5efa\u3001\u5220\u9664\u3001\u4fee\u6539\u6570\u636e\u5e93\u8868\uff0c\u6267\u884cSQL\u811a\u672c\u547d\u4ee4\u7b49\u3002\r\n\r\nphpMyAdmin\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "phpMyAdmin\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-08031\uff09\u7684\u8865\u4e01",
"products": {
"product": "phpMyAdmin phpMyAdmin \u003e=5.1.0\uff0c\u003c5.1.2"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23808",
"serverity": "\u4e2d",
"submitTime": "2022-01-25",
"title": "phpMyAdmin\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-08031\uff09"
}
CERTFR-2022-AVI-069
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans phpMyAdmin. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| phpMyAdmin | phpMyAdmin | phpMyAdmin versions 4.9.x antérieures à 4.9.8 | ||
| phpMyAdmin | phpMyAdmin | phpMyAdmin versions 5.1.x antérieures à 5.1.2 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "phpMyAdmin versions 4.9.x ant\u00e9rieures \u00e0 4.9.8",
"product": {
"name": "phpMyAdmin",
"vendor": {
"name": "phpMyAdmin",
"scada": false
}
}
},
{
"description": "phpMyAdmin versions 5.1.x ant\u00e9rieures \u00e0 5.1.2",
"product": {
"name": "phpMyAdmin",
"vendor": {
"name": "phpMyAdmin",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-23807",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23807"
},
{
"name": "CVE-2022-23808",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23808"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-069",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-01-24T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans phpMyAdmin. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans phpMyAdmin",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 phpMyAdmin PMASA-2022-2 du 10 janvier 2022",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 phpMyAdmin PMASA-2022-1 du 10 janvier 2022",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1"
}
]
}
CERTFR-2022-AVI-069
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans phpMyAdmin. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| phpMyAdmin | phpMyAdmin | phpMyAdmin versions 4.9.x antérieures à 4.9.8 | ||
| phpMyAdmin | phpMyAdmin | phpMyAdmin versions 5.1.x antérieures à 5.1.2 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "phpMyAdmin versions 4.9.x ant\u00e9rieures \u00e0 4.9.8",
"product": {
"name": "phpMyAdmin",
"vendor": {
"name": "phpMyAdmin",
"scada": false
}
}
},
{
"description": "phpMyAdmin versions 5.1.x ant\u00e9rieures \u00e0 5.1.2",
"product": {
"name": "phpMyAdmin",
"vendor": {
"name": "phpMyAdmin",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-23807",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23807"
},
{
"name": "CVE-2022-23808",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23808"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-069",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-01-24T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans phpMyAdmin. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans phpMyAdmin",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 phpMyAdmin PMASA-2022-2 du 10 janvier 2022",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 phpMyAdmin PMASA-2022-1 du 10 janvier 2022",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-1"
}
]
}
OPENSUSE-SU-2024:11765-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
phpMyAdmin-5.1.2-1.1 on GA media
Notes
Title of the patch
phpMyAdmin-5.1.2-1.1 on GA media
Description of the patch
These are all security issues fixed in the phpMyAdmin-5.1.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11765
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "phpMyAdmin-5.1.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the phpMyAdmin-5.1.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11765",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11765-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23807 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23808 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23808/"
}
],
"title": "phpMyAdmin-5.1.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11765-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.aarch64",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.aarch64",
"product_id": "phpMyAdmin-5.1.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.aarch64",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.aarch64",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.aarch64",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.aarch64",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.ppc64le",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.ppc64le",
"product_id": "phpMyAdmin-5.1.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.s390x",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.s390x",
"product_id": "phpMyAdmin-5.1.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.s390x",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.s390x",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.s390x",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.s390x",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.1.2-1.1.x86_64",
"product": {
"name": "phpMyAdmin-5.1.2-1.1.x86_64",
"product_id": "phpMyAdmin-5.1.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.1.2-1.1.x86_64",
"product": {
"name": "phpMyAdmin-apache-5.1.2-1.1.x86_64",
"product_id": "phpMyAdmin-apache-5.1.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.1.2-1.1.x86_64",
"product": {
"name": "phpMyAdmin-lang-5.1.2-1.1.x86_64",
"product_id": "phpMyAdmin-lang-5.1.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64"
},
"product_reference": "phpMyAdmin-5.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64"
},
"product_reference": "phpMyAdmin-apache-5.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
},
"product_reference": "phpMyAdmin-lang-5.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23807"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23807",
"url": "https://www.suse.com/security/cve/CVE-2022-23807"
},
{
"category": "external",
"summary": "SUSE Bug 1195017 for CVE-2022-23807",
"url": "https://bugzilla.suse.com/1195017"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23808"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23808",
"url": "https://www.suse.com/security/cve/CVE-2022-23808"
},
{
"category": "external",
"summary": "SUSE Bug 1195018 for CVE-2022-23808",
"url": "https://bugzilla.suse.com/1195018"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-apache-5.1.2-1.1.x86_64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.aarch64",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.s390x",
"openSUSE Tumbleweed:phpMyAdmin-lang-5.1.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23808"
}
]
}
OPENSUSE-SU-2023:0047-1
Vulnerability from csaf_opensuse - Published: 2023-02-15 10:21 - Updated: 2023-02-15 10:21Summary
Security update for phpMyAdmin
Notes
Title of the patch
Security update for phpMyAdmin
Description of the patch
This update for phpMyAdmin fixes the following issues:
phpMyAdmin was updated to 5.2.1
This is a security and bufix release.
* Security:
- Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727)
Fix an XSS attack through the drag-and-drop upload feature.
* Bugfixes:
- issue #17522 Fix case where the routes cache file is invalid
- issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick
- issue Fix blank page when some error occurs
- issue #17519 Fix Export pages not working in certain conditions
- issue #17496 Fix error in table operation page when partitions are broken
- issue #17386 Fix system memory and system swap values on Windows
- issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive
- issue #17271 Fix database names not showing on Processes tab
- issue #17424 Fix export limit size calculation
- issue #17366 Fix refresh rate popup on Monitor page
- issue #17577 Fix monitor charts size on RTL languages
- issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing
- issue #17586 Fix statistics not showing for empty databases
- issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore
- issue #17584 It's now possible to browse a database that includes two % in its name
- issue Fix PHP 8.2 deprecated string interpolation syntax
- issue Some languages are now correctly detected from the HTTP header
- issue #17617 Sorting is correctly remembered when $cfg['RememberSorting'] is true
- issue #17593 Table filtering now works when action buttons are on the right side of the row
- issue #17388 Find and Replace using regex now makes a valid query if no matching result set found
- issue #17551 Enum/Set editor will not fail to open when creating a new column
- issue #17659 Fix error when a database group is named tables, views, functions, procedures or events
- issue #17673 Allow empty values to be inserted into columns
- issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console
- issue Fixed debug queries console broken UI for query time and group count
- issue Fixed escaping of SQL query and errors for the debug console
- issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled
- issue #17543 Fix JS error on saving a new designer page
- issue #17546 Fix JS error after using save as and open page operation on the designer
- issue Fix PHP warning on GIS visualization when there is only one GIS column
- issue #17728 Some select HTML tags will now have the correct UI style
- issue #17734 PHP deprecations will only be shown when in a development environment
- issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long
- issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page
- issue #16418 Fix FAQ 1.44 about manually removing vendor folders
- issue #12359 Setup page now sends the Content-Security-Policy headers
- issue #17747 The Column Visibility Toggle will not be hidden by other elements
- issue #17756 Edit/Copy/Delete row now works when using GROUP BY
- issue #17248 Support the UUID data type for MariaDB >= 10.7
- issue #17656 Fix replace/change/set table prefix is not working
- issue Fix monitor page filter queries only filtering the first row
- issue Fix 'Link not found!' on foreign columns for tables having no char column to show
- issue #17390 Fix 'Create view' modal doesn't show on results and empty results
- issue #17772 Fix wrong styles for add button from central columns
- issue #17389 Fix HTML disappears when exporting settings to browser's storage
- issue #17166 Fix 'Warning: #1287 'X' is deprecated [...] Please use ST_X instead.' on search page
- issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)
- issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)
- issue #17281 Fix links to databases for information_schema.SCHEMATA
- issue #17553 Fix Metro theme unreadable links above navigation tree
- issue #17553 Metro theme UI fixes and improvements
- issue #17553 Fix Metro theme login form with
- issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox
- issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working
- issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading 'inline') on datepickers when re-opened
- issue Fix Original theme buttons style and login form width
- issue #17892 Fix closing index edit modal and reopening causes it to fire twice
- issue #17606 Fix preview SQL modal not working inside 'Add Index' modal
- issue Fix PHP error on adding new column on create table form
- issue #17482 Default to 'Full texts' when running explain statements
- issue Fixed Chrome scrolling performance issue on a textarea of an 'export as text' page
- issue #17703 Fix datepicker appears on all fields, not just date
- issue Fix space in the tree line when a DB is expanded
- issue #17340 Fix 'New Table' page -> 'VIRTUAL' attribute is lost when adding a new column
- issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL
- issue #17446 Lower the check for virtual columns to MySQL>=5.7.6 nothing is supported on 5.7.5
- issue Fix column names option for CSV Export
- issue #17177 Fix preview SQL when reordering columns doesn't work on move columns
- issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP
- issue #17944 Fix unable to create a view from tree view button
- issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)
- issue #17967 Fix missing icon for collapse all button
- issue #18006 Fixed UUID columns can't be moved
- issue Add `spellcheck='false'` to all password fields and some text fields to avoid spell-jacking data leaks
- issue Remove non working 'Analyze Explain at MariaDB.org' button (MariaDB stopped this service)
- issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API
- issue #18019 Fix 'Call to a member function fetchAssoc() on bool' with SQL mode ONLY_FULL_GROUP_BY on monitor search logs
- issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions
- issue #17398 Fix clicking on JSON columns triggers update query
- issue Fix silent JSON parse error on upload progress
- issue #17833 Fix 'Add Parameter' button not working for Add Routine Screen
- issue #17365 Fixed 'Uncaught Error: regexp too big' on server status variables page
Update to 5.2.0
* Bugfix
- issue #16521 Upgrade Bootstrap to version 5
- issue #16521 Drop support for Internet Explorer and others
- issue Upgrade to shapefile 3
- issue #16555 Bump minimum PHP version to 7.2
- issue Remove the phpseclib dependency
- issue Upgrade Symfony components to version 5.2
- issue Upgrade to Motranslator 4
- issue #16005 Improve the performance of the Export logic
- issue #16829 Add NOT LIKE %...% operator to Table search
- issue #16845 Fixed some links not passing through url.php
- issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)
- issue #16974 Replace zxcvbn by zxcvbn-ts
- issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check
- issue #16138 Ignore the length of integer types and show a warning on MySQL >= 8.0.18
- issue Add support for the Mroonga engine
- issue Double click column name to directly copy to clipboard
- issue #16425 Add DELETE FROM table on table operations page
- issue #16482 Add a select all link for table-specific privileges
- issue #14276 Add support for account locking
- issue #17143 Use composer/ca-bundle to manage the CA cert file
- issue #17143 Require the openssl PHP extension
- issue #17171 Remove the printview.css file from themes
- issue #17203 Redesign the export and the import pages
- issue #16197 Replace the master/slave terminology
- issue #17257 Replace libraries/vendor_config.php constants with an array
- issue Add the Bootstrap theme
- issue #17499 Remove stickyfilljs JavaScript dependency
Update to 5.1.3
This is a security and bufix release.
* Security
- Fix for boo#1197036 (CVE-2022-0813)
- Fix for path disclosure under certain server configurations
(if display_errors is on, for instance)
* Bugfix
- issue #17308 Fix broken pagination links in the navigation sidebar
- issue #17331 Fix MariaDB has no support for system variable 'disabled_storage_engines'
- issue #17315 Fix unsupported operand types in Results.php when running 'SHOW PROCESSLIST' SQL query
- issue #17288 Fixed importing browser settings question box after login when having no pmadb
- issue #17288 Fix 'First day of calendar' user override has no effect
- issue #17239 Fixed repeating headers are not working
- issue #17298 Fixed import of email-adresses or links from ODS results in empty contents
- issue #17344 Fixed a type error on ODS import with non string values
- issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row
Update to 5.1.2
This is a security and bufix release.
* Security
- Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661)
Two factor authentication bypass
- Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661)
Multiple XSS and HTML injection attacks in setup script
* Bugfixes
- Revert a changed to $cfg['CharTextareaRows'] allow values
less than 7
- Fix encoding of enum and set values on edit value
- Fixed possible 'Undefined index: clause_is_unique' error
- Fixed some situations where a user is logged out when working
with more than one server
- Fixed a problem with assigning privileges to a user using the
multiselect list when the database name has an underscore
- Enable cookie parameter 'SameSite' when the PHP version
is 7.3 or newer
- Correctly handle the removal of 'innodb_file_format' in
MariaDB and MySQL
Patchnames
openSUSE-2023-47
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for phpMyAdmin",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for phpMyAdmin fixes the following issues:\n\nphpMyAdmin was updated to 5.2.1\n\nThis is a security and bufix release.\n\n* Security:\n\n - Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727) \n Fix an XSS attack through the drag-and-drop upload feature.\n\n* Bugfixes:\n\n - issue #17522 Fix case where the routes cache file is invalid\n - issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick\n - issue Fix blank page when some error occurs\n - issue #17519 Fix Export pages not working in certain conditions\n - issue #17496 Fix error in table operation page when partitions are broken\n - issue #17386 Fix system memory and system swap values on Windows\n - issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive\n - issue #17271 Fix database names not showing on Processes tab\n - issue #17424 Fix export limit size calculation\n - issue #17366 Fix refresh rate popup on Monitor page\n - issue #17577 Fix monitor charts size on RTL languages\n - issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing\n - issue #17586 Fix statistics not showing for empty databases\n - issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore\n - issue #17584 It\u0027s now possible to browse a database that includes two % in its name\n - issue Fix PHP 8.2 deprecated string interpolation syntax\n - issue Some languages are now correctly detected from the HTTP header\n - issue #17617 Sorting is correctly remembered when $cfg[\u0027RememberSorting\u0027] is true\n - issue #17593 Table filtering now works when action buttons are on the right side of the row\n - issue #17388 Find and Replace using regex now makes a valid query if no matching result set found\n - issue #17551 Enum/Set editor will not fail to open when creating a new column\n - issue #17659 Fix error when a database group is named tables, views, functions, procedures or events\n - issue #17673 Allow empty values to be inserted into columns\n - issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console\n - issue Fixed debug queries console broken UI for query time and group count\n - issue Fixed escaping of SQL query and errors for the debug console\n - issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled\n - issue #17543 Fix JS error on saving a new designer page\n - issue #17546 Fix JS error after using save as and open page operation on the designer\n - issue Fix PHP warning on GIS visualization when there is only one GIS column\n - issue #17728 Some select HTML tags will now have the correct UI style\n - issue #17734 PHP deprecations will only be shown when in a development environment\n - issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long\n - issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page\n - issue #16418 Fix FAQ 1.44 about manually removing vendor folders\n - issue #12359 Setup page now sends the Content-Security-Policy headers\n - issue #17747 The Column Visibility Toggle will not be hidden by other elements\n - issue #17756 Edit/Copy/Delete row now works when using GROUP BY\n - issue #17248 Support the UUID data type for MariaDB \u003e= 10.7\n - issue #17656 Fix replace/change/set table prefix is not working\n - issue Fix monitor page filter queries only filtering the first row\n - issue Fix \u0027Link not found!\u0027 on foreign columns for tables having no char column to show\n - issue #17390 Fix \u0027Create view\u0027 modal doesn\u0027t show on results and empty results\n - issue #17772 Fix wrong styles for add button from central columns\n - issue #17389 Fix HTML disappears when exporting settings to browser\u0027s storage\n - issue #17166 Fix \u0027Warning: #1287 \u0027X\u0027 is deprecated [...] Please use ST_X instead.\u0027 on search page\n - issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)\n - issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)\n - issue #17281 Fix links to databases for information_schema.SCHEMATA\n - issue #17553 Fix Metro theme unreadable links above navigation tree\n - issue #17553 Metro theme UI fixes and improvements\n - issue #17553 Fix Metro theme login form with\n - issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox\n - issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working\n - issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading \u0027inline\u0027) on datepickers when re-opened\n - issue Fix Original theme buttons style and login form width\n - issue #17892 Fix closing index edit modal and reopening causes it to fire twice\n - issue #17606 Fix preview SQL modal not working inside \u0027Add Index\u0027 modal\n - issue Fix PHP error on adding new column on create table form\n - issue #17482 Default to \u0027Full texts\u0027 when running explain statements\n - issue Fixed Chrome scrolling performance issue on a textarea of an \u0027export as text\u0027 page\n - issue #17703 Fix datepicker appears on all fields, not just date\n - issue Fix space in the tree line when a DB is expanded\n - issue #17340 Fix \u0027New Table\u0027 page -\u003e \u0027VIRTUAL\u0027 attribute is lost when adding a new column\n - issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL\n - issue #17446 Lower the check for virtual columns to MySQL\u003e=5.7.6 nothing is supported on 5.7.5\n - issue Fix column names option for CSV Export\n - issue #17177 Fix preview SQL when reordering columns doesn\u0027t work on move columns\n - issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP\n - issue #17944 Fix unable to create a view from tree view button\n - issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)\n - issue #17967 Fix missing icon for collapse all button\n - issue #18006 Fixed UUID columns can\u0027t be moved\n - issue Add `spellcheck=\u0027false\u0027` to all password fields and some text fields to avoid spell-jacking data leaks\n - issue Remove non working \u0027Analyze Explain at MariaDB.org\u0027 button (MariaDB stopped this service)\n - issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API\n - issue #18019 Fix \u0027Call to a member function fetchAssoc() on bool\u0027 with SQL mode ONLY_FULL_GROUP_BY on monitor search logs\n - issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions\n - issue #17398 Fix clicking on JSON columns triggers update query\n - issue Fix silent JSON parse error on upload progress\n - issue #17833 Fix \u0027Add Parameter\u0027 button not working for Add Routine Screen\n - issue #17365 Fixed \u0027Uncaught Error: regexp too big\u0027 on server status variables page\n\nUpdate to 5.2.0\n\n* Bugfix\n\n - issue #16521 Upgrade Bootstrap to version 5\n - issue #16521 Drop support for Internet Explorer and others\n - issue Upgrade to shapefile 3\n - issue #16555 Bump minimum PHP version to 7.2\n - issue Remove the phpseclib dependency\n - issue Upgrade Symfony components to version 5.2\n - issue Upgrade to Motranslator 4\n - issue #16005 Improve the performance of the Export logic\n - issue #16829 Add NOT LIKE %...% operator to Table search\n - issue #16845 Fixed some links not passing through url.php\n - issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)\n - issue #16974 Replace zxcvbn by zxcvbn-ts\n - issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check\n - issue #16138 Ignore the length of integer types and show a warning on MySQL \u003e= 8.0.18\n - issue Add support for the Mroonga engine\n - issue Double click column name to directly copy to clipboard\n - issue #16425 Add DELETE FROM table on table operations page\n - issue #16482 Add a select all link for table-specific privileges\n - issue #14276 Add support for account locking\n - issue #17143 Use composer/ca-bundle to manage the CA cert file\n - issue #17143 Require the openssl PHP extension\n - issue #17171 Remove the printview.css file from themes\n - issue #17203 Redesign the export and the import pages\n - issue #16197 Replace the master/slave terminology\n - issue #17257 Replace libraries/vendor_config.php constants with an array\n - issue Add the Bootstrap theme\n - issue #17499 Remove stickyfilljs JavaScript dependency\n\nUpdate to 5.1.3\n\nThis is a security and bufix release.\n\n* Security\n\n - Fix for boo#1197036 (CVE-2022-0813)\n - Fix for path disclosure under certain server configurations\n (if display_errors is on, for instance)\n\n* Bugfix\n\n - issue #17308 Fix broken pagination links in the navigation sidebar\n - issue #17331 Fix MariaDB has no support for system variable \u0027disabled_storage_engines\u0027\n - issue #17315 Fix unsupported operand types in Results.php when running \u0027SHOW PROCESSLIST\u0027 SQL query\n - issue #17288 Fixed importing browser settings question box after login when having no pmadb\n - issue #17288 Fix \u0027First day of calendar\u0027 user override has no effect\n - issue #17239 Fixed repeating headers are not working\n - issue #17298 Fixed import of email-adresses or links from ODS results in empty contents\n - issue #17344 Fixed a type error on ODS import with non string values\n - issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row\n\nUpdate to 5.1.2\n\nThis is a security and bufix release.\n\n* Security\n\n - Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661) \n Two factor authentication bypass\n - Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661)\n Multiple XSS and HTML injection attacks in setup script\n\n* Bugfixes\n\n - Revert a changed to $cfg[\u0027CharTextareaRows\u0027] allow values\n less than 7\n - Fix encoding of enum and set values on edit value\n - Fixed possible \u0027Undefined index: clause_is_unique\u0027 error\n - Fixed some situations where a user is logged out when working\n with more than one server\n - Fixed a problem with assigning privileges to a user using the\n multiselect list when the database name has an underscore\n - Enable cookie parameter \u0027SameSite\u0027 when the PHP version\n is 7.3 or newer\n - Correctly handle the removal of \u0027innodb_file_format\u0027 in\n MariaDB and MySQL\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-47",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0047-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0047-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0047-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/"
},
{
"category": "self",
"summary": "SUSE Bug 1195017",
"url": "https://bugzilla.suse.com/1195017"
},
{
"category": "self",
"summary": "SUSE Bug 1195018",
"url": "https://bugzilla.suse.com/1195018"
},
{
"category": "self",
"summary": "SUSE Bug 1197036",
"url": "https://bugzilla.suse.com/1197036"
},
{
"category": "self",
"summary": "SUSE Bug 1208186",
"url": "https://bugzilla.suse.com/1208186"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-0813 page",
"url": "https://www.suse.com/security/cve/CVE-2022-0813/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23807 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23808 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23808/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25727/"
}
],
"title": "Security update for phpMyAdmin",
"tracking": {
"current_release_date": "2023-02-15T10:21:02Z",
"generator": {
"date": "2023-02-15T10:21:02Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0047-1",
"initial_release_date": "2023-02-15T10:21:02Z",
"revision_history": [
{
"date": "2023-02-15T10:21:02Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"product": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"product_id": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
},
"product_reference": "phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-0813",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-0813"
}
],
"notes": [
{
"category": "general",
"text": "PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. This affects the lang parameter, the pma_parameter, and the cookie section.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-0813",
"url": "https://www.suse.com/security/cve/CVE-2022-0813"
},
{
"category": "external",
"summary": "SUSE Bug 1197036 for CVE-2022-0813",
"url": "https://bugzilla.suse.com/1197036"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-0813"
},
{
"cve": "CVE-2022-23807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23807"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23807",
"url": "https://www.suse.com/security/cve/CVE-2022-23807"
},
{
"category": "external",
"summary": "SUSE Bug 1195017 for CVE-2022-23807",
"url": "https://bugzilla.suse.com/1195017"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-23807"
},
{
"cve": "CVE-2022-23808",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23808"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23808",
"url": "https://www.suse.com/security/cve/CVE-2022-23808"
},
{
"category": "external",
"summary": "SUSE Bug 1195018 for CVE-2022-23808",
"url": "https://bugzilla.suse.com/1195018"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2022-23808"
},
{
"cve": "CVE-2023-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25727"
}
],
"notes": [
{
"category": "general",
"text": "In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25727",
"url": "https://www.suse.com/security/cve/CVE-2023-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1208186 for CVE-2023-25727",
"url": "https://bugzilla.suse.com/1208186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-apache-5.2.1-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:phpMyAdmin-lang-5.2.1-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-02-15T10:21:02Z",
"details": "moderate"
}
],
"title": "CVE-2023-25727"
}
]
}
GHSA-VCWC-6MR9-8M7C
Vulnerability from github – Published: 2022-01-28 22:36 – Updated: 2024-04-22 19:39
VLAI?
Summary
Cross-site Scripting in phpmyadmin
Details
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyadmin/phpmyadmin"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23808"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-28T22:29:33Z",
"nvd_published_at": "2022-01-22T02:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"id": "GHSA-vcwc-6mr9-8m7c",
"modified": "2024-04-22T19:39:11Z",
"published": "2022-01-28T22:36:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23808"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16af91ceea335d59"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927bf51c46feeaf38"
},
{
"type": "PACKAGE",
"url": "https://github.com/phpmyadmin/phpmyadmin"
},
{
"type": "WEB",
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-17"
},
{
"type": "WEB",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cross-site Scripting in phpmyadmin"
}
GSD-2022-23808
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-23808",
"description": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"id": "GSD-2022-23808",
"references": [
"https://www.suse.com/security/cve/CVE-2022-23808.html",
"https://advisories.mageia.org/CVE-2022-23808.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-23808"
],
"details": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"id": "GSD-2022-23808",
"modified": "2023-12-13T01:19:35.064903Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phpmyadmin.net/security/PMASA-2022-2/",
"refsource": "MISC",
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"name": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97",
"refsource": "MISC",
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"name": "GLSA-202311-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202311-17"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=5.1.0,\u003c5.1.2",
"affected_versions": "All versions starting from 5.1.0 before 5.1.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2023-04-29",
"description": "An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.",
"fixed_versions": [
"5.1.2"
],
"identifier": "CVE-2022-23808",
"identifiers": [
"CVE-2022-23808"
],
"not_impacted": "All versions before 5.1.0, all versions starting from 5.1.2",
"package_slug": "packagist/phpmyadmin/phpmyadmin",
"pubdate": "2022-01-22",
"solution": "Upgrade to version 5.1.2 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-23808",
"https://www.phpmyadmin.net/security/PMASA-2022-2/"
],
"uuid": "4e64fbc9-2377-4abc-abdb-7335015b190d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23808"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.phpmyadmin.net/security/PMASA-2022-2/",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.phpmyadmin.net/security/PMASA-2022-2/"
},
{
"name": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97",
"refsource": "MISC",
"tags": [],
"url": "https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97"
},
{
"name": "GLSA-202311-17",
"refsource": "",
"tags": [],
"url": "https://security.gentoo.org/glsa/202311-17"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-11-26T12:15Z",
"publishedDate": "2022-01-22T02:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…