#auth

A critical security vulnerability has been disclosed in AMI's MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions. The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity. "A local or remote attacker can exploit the vulnerability by accessing the

Palo Alto, USA, 18th March 2025, CyberNewsWire

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: WebHMI – Deployed with EcoStruxure Power Automation System Vulnerability: Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unauthorized access to the underlying software application running WebHMI. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following products are affected because they use WebHMI v4.1.0.0 and prior: EcoStruxure Power Automation System: Versions 2.6.30.19 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Initialization of a Resource with an Insecure Default CWE-1188 An initialization of a resource with an insecure default vulnerability exists that could cause an attacker to execute unauthorized commands when a system's default password credentials have not been changed on first use. The default username is not displayed correctly in t...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: ASCO 5310 / 5350 Vulnerabilities: Download of Code Without Integrity Check, Allocation of Resources Without Limits or Throttling, Cleartext Transmission of Sensitive Information, Unrestricted Upload of File with Dangerous Type 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service, loss of availability, or loss of device integrity. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following products are affected: Schneider Electric ASCO 5310 Single-Channel Remote Annunciator: All versions Schneider Electric ASCO 5350 Eight Channel Remote Annunciator: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494 Schneider Electric ASCO 5310 / 5350 remote annunciator is vulnerable to a download of code without integrity check vulner...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.0 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Panel Server Vulnerability: Insertion of Sensitive Information into Log File 2. RISK EVALUATION Successful exploitation of this vulnerability could allow disclosure of sensitive information, including the disclosure of credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following versions of EcoStruxure Panel Server are affected: EcoStruxure Panel Server: Versions v2.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Insertion of Sensitive Information into Log File CWE-532 There is an insertion of sensitive information into log files vulnerability that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and the debug files are exported from the device. CVE-2025-2002 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Automation System User Interface (EPAS-UI) Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass device authentication, potentially gain access to sensitive information, or execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: EcoStruxure Power Automation System User Interface (EPAS-UI): Version v2.1 up to and including v2.9 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 The Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) is vulnerable to authentication bypass. This occurs when an unauthorized user, without permission rights, has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process....

Do you need to permanently and securely delete photos from an iPhone to prevent unauthorized access? Simply deleting…

Confidential computing strengthens application security by providing isolation, encryption and attestation so data remains protected while in use. By integrating these security features with a scalable, high-performance artificial intelligence (AI) and machine learning (ML) ecosystem, organizations can adopt a defense-in-depth approach. This is especially critical for regulated industries handling sensitive data, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and financial information, enabling them to leverage AI with confidence.In this article, we expl

Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack.

### Impact Some cache backends allow configuring their credentials by setting secrets directly as attribute values in `cache-to/cache-from` configuration. If this was done by the user, these secure values could be captured together with OpenTelemetry trace as part of the arguments and flags for the traced CLI command. Passing tokens to Github cache backend via environment variables or using registry authentication is not affected. If you passed a token value like this and use a custom OpenTelemetry collector for computing traces you should make sure that your traces are kept secure. OpenTelemetry traces are also saved in BuildKit daemon's history records. ### Patches Issue has been fixed in Buildx v0.21.3 or newer. ### Workarounds Avoid passing cache backend credentials with CLI arguments. Make sure access to traces and BuildKit history records is kept secure.