#rce

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely  Vendor: Siemens  Equipment: Various third-party components used in SCALANCE W-700 devices  Vulnerabilities: Generation of Error Message Containing Sensitive Information, Out-of-bounds Write, NULL Pointer Dereference, Out-of-bounds Read, Improper Input Validation, Release of Invalid Pointer or Reference, Use After Free, Prototype Pollution  2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclose sensitive data.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following software from Siemens is affected:  SCALANCE WAM763-1 (6GK57...

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity   Vendor: Rockwell Automation   Equipment: ThinManager ThinServer  Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow  2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software, are affected:  ThinManager ThinServer: Versions 6.x – 10.x  ThinManager ThinServer: Versions 11.0.0 – 11.0.5  ThinManager ThinServer: Versions 11.1.0 – 11.1.5  ThinManager ThinServer: Versions 11.2.0 – 11.2.6  ThinManager ThinServer: Versions 12.0.0 – 12.0.4  ThinManager ThinServer: Versions 12.1.0 – 12.1.5  ThinManager ThinServer: Versions 13.0.0 – 13.0.1  3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMIT...

Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Google's Project Zero say.

By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks

The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.

Tenda W20E v15.11.0.6(US_W20EV4.0br_v15.11.0.6(1068_1546_841 is vulnerable to Buffer Overflow via function formSetSysTime,

Tenda W20E v15.11.0.6 (US_W20EV4.0br_v15.11.0.6(1068_1546_841)_CN_TDC) is vulnerable to Buffer Overflow via function formIPMacBindModify.

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.

## Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. ## Proof of Concept Install Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code. ```php <?php // index.php // include autoloader require __DIR__ . '/vendor/autoload.php'; // reference the snappy namespace use Knp\Snappy\Pdf; // vulnerable object class VulnerableClass { public $fileName; public $callback; ...

Open Web Analytics (OWA) versions prior to 1.7.4 allow an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes.