Latest News

### Impact A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using `snap run --shell firefox` followed by `snapctl mount`, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line vector which confuses snapd into thinking the help message is requested. Unprivileged user on a default installation of Ubuntu, where firefox is as provided as a snap, may cause a denial-of-service attack by repeatedly mounting hunspell database over and over and eventually exhausting system memory. Other attacks, reliant on the same underying mechanism (mount), are possible. In all cases the snap must be installed and grated permission to perform this action (by connecting an appropriate snap interface), which requires administrative pr...

# StoredXSS-LibreNMS-Display Name 2 **Description:** XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display of Librenms versions 24.11.0 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device by going to the "Device Settings" section. 3. In the "Display Name" field, enter the following payload: `"><img src onerror="alert(document.cookie)">`.  4. Save the changes. 5. The XSS payload is triggered when navigating to the path /device/$DEVICE_ID/logs and hovering over a type contai...

Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

Part predictive analysis, part intuition, risk and reputation services are imperfect instruments at best — and better than nothing for most organizations and insurers.

The digital world is exploding. IoT devices are multiplying like rabbits, certificates are piling up faster than you can count, and compliance requirements are tightening by the day. Keeping up with it all can feel like trying to juggle chainsaws while riding a unicycle. Traditional trust management? Forget it. It's simply not built for today's fast-paced, hybrid environments. You need a

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 4.9 ATTENTION: Low attack complexity Vendor: Hitachi Energy Equipment: FOX61x, FOXCST, FOXMAN-UN Vulnerability: Improper Validation of Certificate with Host Mismatch 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to intercept or falsify data exchanges between the client and the server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: FOX61x: Versions prior to R16B FOXCST: Versions prior to 16.2.1 FOXMAN-UN: R15A and prior FOXMAN-UN: R15B PC4 and prior FOXMAN-UN: R16A FOXMAN-UN: R16B PC2 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VALIDATION OF CERTIFICATE WITH HOST MISMATCH CWE-297 Hitachi Energy is aware of a vulnerability that affects the FOXCST client application, which if exploited would allow attackers to intercept or falsify data exchanges between the client and the server. CVE-2024-2462 has been assigned to this vulnerability. A CVSS v...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.2 ATTENTION: Exploitable locally Vendor: Siemens Equipment: Siveillance Video Camera Drivers Vulnerability: Insertion of Sensitive Information into Log File 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a local attacker to read camera credentials stored in the Recording Server under specific conditions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siveillance Video Device Pack: Versions prior to V13.5 3.2 VULNERABILITY OVERVIEW 3.2.1 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532 Disclosure of sensitive information in HikVision camera driver...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIPROTEC 5 Vulnerability: Files or Directories Accessible to External Parties 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an authenticated remote attacker to read arbitrary files or the entire filesystem of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens SIPROTEC 5 6MD84 (CP300): Versions prior to 9.80 Siemens SIPROTEC 5 7SA87 (CP300): Versions 7.80 up to but not including 9.80 Siemens SIPROTEC 5 7SD82 (CP100): Versions 7.80 and after Siemens SIPROTEC...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Fuji Electric Equipment: Alpha5 SMART Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Fuji Electric Alpha5 SMART, a servo drive system, are affected: Alpha5 SMART: Versions 4.5 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. CVE-2024-34579 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-34579. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI...