#auth

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <= 2.0.9 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Vark Minimum Purchase for WooCommerce plugin <= 2.0.0.1 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Mihai Iova WordPress Knowledge base & Documentation Plugin – WP Knowledgebase plugin <= 1.3.4 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Borbis Media FreshMail For WordPress plugin <= 2.3.2 versions.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely/public exploits are available Vendor: Dingtian Equipment: DT-R002 Vulnerability: Authentication Bypass by Capture-Replay 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Dingtian DT-R002, a relay board, are affected: DT-R002: version 3.1.276A 3.2 Vulnerability Overview 3.2.1 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294 relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request. CVE-2022-29593 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Sielco Equipment: Analog FM Transmitters and Radio Link Vulnerabilities: Improper Access Control, Cross-Site Request Forgery, Privilege Defined with Unsafe Actions 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Sielco devices are affected: Analog FM transmitter: 2.12 (EXC5000GX) Analog FM transmitter: 2.12 (EXC120GX) Analog FM transmitter: 2.11 (EXC300GX) Analog FM transmitter: 2.10 (EXC1600GX) Analog FM transmitter: 2.10 (EXC2000GX) Analog FM transmitter: 2.08 (EXC1600GX) Analog FM transmitter: 2.08 (EXC1000GX) Analog FM transmitter: 2.07 (EXC3000GX) Analog FM transmitter: 2.06 (EXC5000GX) Analog FM transmitter: 1.7.7 (EXC30GT) Analog FM transmitter: 1.7.4 (EXC300GT) Analog FM transmi...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Sielco Equipment: PolyEco1000 Vulnerabilities: Session Fixation, Improper Restriction of Excessive Authentication Attempts, Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Sielco PolyEco1000, a FM transmitter, are affected: PolyEco1000: CPU:2.0.6 FPGA:10.19 PolyEco1000: CPU:1.9.4 FPGA:10.19 PolyEco1000: CPU:1.9.3 FPGA:10.19 PolyEco500: CPU:1.7.0 FPGA:10.16 PolyEco300: CPU:2.0.2 FPGA:10.19 PolyEco300: CPU:2.0.0 FPGA:10.19 3.2 Vulnerability Overview 3.2.1 SESSION FIXATION CWE-384 Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in req...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely Vendor: Rockwell Automation Equipment: FactoryTalk Services Platform Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could use a token to log into the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the following products are affected: FactoryTalk Services Platform: v2.74 3.2 Vulnerability Overview 3.2.1 Improper Authentication CWE-287 Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk Services Platform web service and then use the token to log in into FactoryTalk Services Platform. This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk Services Platform web service. CVE-2023-46290 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculat...

While cyberattacks on websites receive much attention, there are often unaddressed risks that can lead to businesses facing lawsuits and privacy violations even in the absence of hacking incidents. A new case study highlights one of these more common cases.  Download the full case study here. It's a scenario that could have affected any type of company, from healthcare to finance, e-commerce to

Users of Mirth Connect, an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability. Tracked as CVE-2023-43208, the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. "This is an easily exploitable, unauthenticated remote code