#auth

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: ACS880 Drives with IEC 61131-3 license Vulnerabilities: Improper Input Validation, Out-of-bounds Write, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the device or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ABB reports that the following low-voltage DC drive and power controller products contain a vulnerable version of CODESYS Runtime: ABB ACS880 Drives ACS880 Primary Control Program AINLX: Versions prior to v3.47 ABB ACS880 Drives ACS880 Primary Control Program YINLX: Versions prior to v1.30 ABB ACS880 Drives ACS880 IGBT Supply Control Program AISLX: Versions prior to v3.43 ABB ACS880 Drives ACS880 IGBT Supply Control Program ALHLX: Versions prior to v3.43 ABB ACS880 Drives ACS880 IGBT Supply...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCT880 memory unit incl. Power Optimizer, DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCS880 memory unit incl. DEMag, DCS880 memory unit incl. DCC Vulnerabilities: Improper Input Validation, Out-of-bounds Write, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to trigger a denial-of-service condition or execute arbitrary code over the fieldbus interfaces. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ABB reports that the following low-voltage DC drive and power controller products contain a vulnerable version of the CODESYS Runtime: DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3): All versions DCT880 memory unit incl. Pow...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 series Vulnerabilities: Null Pointer Dereference, Insufficient Resource Pool, Missing Synchronization 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Hitachi Energy products are affected: RTU500 series CMU: Versions 12.0.1 - 12.0.14 (CVE-2024-10037) RTU500 series CMU: Versions 12.2.1 - 12.2.12 (CVE-2024-10037) RTU500 series CMU: Versions 12.4.1 - 12.4.11 (CVE-2024-10037) RTU500 series CMU: Versions 12.6.1 - 12.6.10 (CVE-2024-10037) RTU500 series CMU: Versions 12.7.1 - 12.7.7 (CVE-2024-10037) RTU500 series CMU: Versions 13.2.1 - 13.2.7 (CVE-2024-10037) RTU500 series CMU: Versions 13.4.1 - 13.4.4 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169) RTU500 series CMU: Versions 13.5.1 - 13.5.3 (CVE-2024-10037, CVE-2024-...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: TRMTracker Vulnerabilities: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'), Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute limited remote commands, poison web-cache, or disclose and modify sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: TRMTracker: Versions 6.2.04 and prior TRMTracker: Versions 6.3.0 and 6.3.01 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE-90 The TRMTracker web application is vulnerable to LDAP injection attack potentially allowing an att...

**According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?** This attack requires an authenticated client to click a link in order for an unauthenticated attacker to initiate remote code execution.

In one of the largest coordinated law enforcement operations, authorities have dismantled Kidflix, a streaming platform that offered child sexual abuse material (CSAM). "A total of 1.8 million users worldwide logged on to the platform between April 2022 and March 2025," Europol said in a statement. "On March 11, 2025, the server, which contained around 72,000 videos at the time, was seized by

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS. This issue affects Obfuscate: from 0.0.0 before 2.0.1.

## Summary In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers. Learn more [here](https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O). ## Credit Thank you to Jinseo Kim [kjsman](https://hackerone.com/kjsman?type=user) and [ryotak](https://hackerone.com/ryotak?type=user) for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

Dark web child abuse hub ‘Kidflix’ dismantled in global operation. 1.8M users, 91,000+ CSAM videos exposed. 79 arrests, 39 children rescued.