#auth

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon Controllers Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a victim's browser to run arbitrary JavaScript when visiting a page containing injected payload. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Modicon Controllers M258 / LMC058: All versions Schneider Electric Modicon Controllers M262: Versions prior to 5.2.8.26 Schneider Electric Modicon Controllers M251: Versions prior to 5.2.11.24 Schneider Electric Modicon Controllers M241: Versions prior to 5.2.11.24 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 A Cross-site Scripting  vulnerability exists  where an attacker could cause a victim's brows...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: User Management Component (UMC) Vulnerability: Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated remote attacker arbitrary code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports the following products are affected: Opcenter Execution Foundation: All versions Opcenter Intelligence: All versions Opcenter Quality: All versions Opcenter RDL: All versions SIMATIC PCS neo V4.0: All versions SIMATIC PCS neo V4.1: All versions SIMATIC PCS neo V5.0: All versions prior to V5.0 Upd...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Tibbo Equipment: AggreGate Network Manager Vulnerability: Unrestricted Upload of File with Dangerous Type 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to achieve code execution on the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Tibbo products are affected: Aggregate Network Manager: Versions 6.34.02 and prior 3.2 Vulnerability Overview 3.2.1 Unrestricted Upload of File with Dangerous Type CWE-434 There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server. CVE-2024-12700 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated f...

Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information. The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. "A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files," the

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020. An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

Stay alert to crypto scams with our guide to 2024’s top threats, including phishing, malware, Ponzi schemes, and…

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

The agency asks the cybersecurity community to adopt "romance baiting" in place of dehumanizing language.

The National Defense Authorization Act passed today, but lawmakers stripped language that would keep the Trump administration from wielding unprecedented authority to surveil Americans.