Headline
CVE-2022-35613: CVE-ID: CVE-2022-35613
Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF).
CVE-ID: CVE-2022-35613
Popular posts from this blog
CVE-ID: CVE-2022-35137
DGIOT Lightweight industrial IoT v4.5.4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities. The platform does not output encode JS payloads such as <script>alert(document.cookie)</script>. These are instances of stored XSS that can be abused to steal admin user cookies. References: https://owasp.org/www-community/attacks/xss/
CVE-ID: CVE-2022-35135, CVE-2022-35136
CVE-2022-35136: Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. CVE-2022-35135: Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges via a crafted request sent to /api/user/upsert/<uuid>. The platform successfully processes API requests even without valid cookies.For example, the following request to update user profile is processed, even though the request does not have any cookie/api key. (Cookie header is blank in the request) Since API requests to the platform are not authenticated, a user can assign themselves an admin role, by sending a request to http://192.168.72.157/api/user/upsert/<userid> endpoint. HTTP Request: POST /api/user/upsert/8c34fa03- 706a-4dc7-b484-cd8e0c329c81 HTTP/1.1 Host: 192.168.72.157 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Re
CVE-ID: CVE-2022-31861
Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. Patch details: https://github.com/thingsboard/thingsboard/pull/7385 Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform. According to Thingsboard’s documentation ( https://thingsboard.io/docs/pe/user-guide/rbac/ ), on the community edition, "a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant". Each tenant has several customers and as
Related news
Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests.
Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests.
DGIOT Lightweight industrial IoT v4.5.4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.
Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.