Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-32504: The SICK Product Security Incident Response Team (SICK PSIRT)

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

CVE
#xss#vulnerability#web#buffer_overflow#auth

Reporting a vulnerability

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

  • Contact information and availability
  • Affected product including model and version number
  • Classification of the vulnerability (buffer overflow, XSS, …)
  • Detailed description of the vulnerability (with verification if possible)
  • Effect of the vulnerability (if know)
  • Current level of awareness of the vulnerability (are there plans to disclose it?)
  • (Company) affiliation of the reporter (if reporter is prepared to provide such information)
  • CVSS score (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907