#perl

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts.

A vulnerability in Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of certain parameters within 802.11 frames. An attacker could exploit this vulnerability by sending a wireless 802.11 association request frame with crafted parameters to an affected device. A successful exploit could allow the attacker to cause an unexpected reload of an affected device, resulting in a DoS condition.

Enterprise storage devices have 14 security weaknesses on average, putting them at risk of compromise by cyberattackers and especially ransomware attacks.

WordPress plugins Watu Quiz versions 3.3.9 and below, GN Publisher versions 1.5.5 and below, and Japanized For WooCommerce versions 2.5.4 and below suffer from cross site scripting vulnerabilities.

In the triumvirate of identity types, protecting the identity, privacy, and data of carbon-based forms — humans — is key. Safeguards must be in place as AI becomes more interactive.

1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity  Vendor: Schneider Electric  Equipment: IGSS (Interactive Graphical SCADA System)   Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, Deserialization of Untrusted Data, Improper Limitation of a Pathname to a Restricted Directory, and Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in a denial-of-service condition, as well as the loss, addition, or modification of dashboards or report files in the IGSS Report folder. Successful exploitation of these vulnerabilities could also allow remote code execution, potentially resulting in loss of control of the supervisory control and data acquisition (SCADA) System with IGSS running in production mode. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports these vulnerabilities affect the following Data Server, Dashboard and Cu...

1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION: Exploitable remotely/low attack complexity  Vendor: ABB  Equipment: Pulsar Plus Controller   Vulnerabilities: Use of Insufficiently Random Values, Cross-Site Request Forgery (CSRF)  2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to take control of the product or execute arbitrary code.   3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ABB Pulsar Plus Controller, are affected:  ABB Infinity DC Power Plant – H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415  ABB Pulsar Plus System Controller – NE843_S – comcode 150042936  3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352  There are several fields in the web pages where a user can enter arbitrary text, such as a description of an alarm or a rectifier. These represent a cross site scripting vulnerability where JavaScript code can be entered as the description with the potential of causing...

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available  Vendor: ProPump and Controls, Inc.  Equipment: Osprey Pump Controller  Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection  2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modify data, cause a denial-of-service, and/or gain administrative control.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Osprey Pump Controller, pumping systems, and automated controls is affected:  Osprey Pump Controller version 1.01  3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT ENTROPY CWE-331  Osprey Pump Controller version 1.01 is vulnerable to a predicta...

An update for openssl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to r...

An update for openssl is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to r...