Multiple camera devices by UDP Technology, GeutebrÃ¼ck and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings. This can lead to manipulation of the device and denial of service.

CVE-2021-33543: UDP Technology IP Camera vulnerabilities

The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE

CVE-2021-24620

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Security Updates Available for Adobe Commerce | APSB21-64

Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.       

**Product**

**Version**

**Platform**

Adobe Commerce  

2.4.2 and earlier versions    

All  

2.4.2-p1 and earlier versions    

All

2.3.7 and earlier versions   

All  

Magento Open Source 

2.4.2-p1 and earlier versions  

All

2.3.7 and earlier versions     

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Adobe Commerce  

2.4.3    

All  

2  

2.4.x release notes

2.3.x release notes

2.4.2-p2  

All  

2  

2.3.7-p1  

All  

2  

Magento Open Source   

2.4.3    

All  

2  

2.4.2-p2  

All

2

2.3.7-p1   

All  

2  

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

**CVSS base score**  

**CVSS vector**  

Magento Bug ID

CVE numbers

Business Logic Errors (CWE-840)  

Security feature bypass

 Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2934

CVE-2021-36012

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

PRODSECBUG-2963

PRODSECBUG-2964

CVE-2021-36026

CVE-2021-36027

Improper Access Control (CWE-284)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2977

CVE-2021-36036

Improper Authorization (CWE-285)

Security feature bypass

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2968

CVE-2021-36029

Improper Authorization (CWE-285)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2980

CVE-2021-36037

Improper Input Validation (CWE-20)

Application denial-of-service

Critical

No

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PRODSECBUG-3004

CVE-2021-36044

Improper Input Validation (CWE-20)

Privilege escalation

Critical

yes

no

8.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

PRODSECBUG-2971

CVE-2021-36032

Improper Input Validation (CWE-20)

Security feature bypass

Critical

no

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2969

CVE-2021-36030

Improper Input Validation (CWE-20)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2982

CVE-2021-36038

Improper Input Validation (CWE-20)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2959

 PRODSECBUG-2960

 PRODSECBUG-2962

PRODSECBUG-2975

PRODSECBUG-2976

PRODSECBUG-2987

PRODSECBUG-2988

PRODSECBUG-2992

CVE-2021-36021

CVE-2021-36024

CVE-2021-36025

CVE-2021-36034

CVE-2021-36035

CVE-2021-36040

CVE-2021-36041

CVE-2021-36042

Path Traversal

(CWE-22)

Arbitrary code execution

Critical

yes

yes

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-2970

CVE-2021-36031

OS Command Injection (CWE-78)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2958

PRODSECBUG-2960

CVE-2021-36022

CVE-2021-36023

Incorrect Authorization (CWE-863)

Arbitrary file system read

Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2984

CVE-2021-36039

Server-Side Request Forgery (SSRF)

(CWE-918)

Arbitrary code execution

Critical

yes

yes

8

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2996

CVE-2021-36043

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

no

no

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

PRODSECBUG-2937

CVE-2021-36020

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2965

PRODSECBUG-2972

CVE-2021-36028

CVE-2021-36033

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
*   Igorsdv (CVE-2021-36012)
*   Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
*   Dftrace (CVE-2021-36044)
*   Floorz (CVE-2021-36030)
*   Eboda (CVE-2021-36022)
*   Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)  
    

August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce. 

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-36022: Adobe Security Bulletin

An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.

**OSSA-2021-005: Arbitrary dnsmasq reconfiguration via extra\_dhcp\_opts¶**

Date:

August 31, 2021

CVE:

CVE-2021-40085

**Affects¶**

*   Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1
    

**Description¶**

Pavel Toporkov reported a vulnerability in Neutron. By supplying a specially crafted extra\_dhcp\_opts value, an authenticated user may add arbitrary configuration to the dnsmasq process in order to crash the service, change parameters for other tenants sharing the same interface, or otherwise alter that daemon’s behavior. This vulnerability may also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81, which could lead to remote code execution. All Neutron deployments are affected.

**Patches¶**

*   https://review.opendev.org/806709 (Queens)
    
*   https://review.opendev.org/806862 (Rocky)
    
*   https://review.opendev.org/806708 (Stein)
    
*   https://review.opendev.org/806707 (Train)
    
*   https://review.opendev.org/806750 (Ussuri)
    
*   https://review.opendev.org/806749 (Victoria)
    
*   https://review.opendev.org/806748 (Wallaby)
    
*   https://review.opendev.org/806746 (Xena)
    

**Credits¶**

*   Pavel Toporkov (CVE-2021-40085)
    

**References¶**

*   https://launchpad.net/bugs/1939733
    
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
    

**Notes¶**

*   The stable/train, stable/stein, stable/rocky, and stable/queens branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.

CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts — OpenStack Security Advisories 0.0.1.dev251 documentation

IBM OpenPages with Watson 8.1 and 8.2 could allow an authenticated user to upload a file that could execute arbitrary code on the system. IBM X-Force ID: 207633.

  

**Summary**

An issue was found within the IBM OpenPages with Watson that could allow an authenticated user to upload a file that could execute arbitrary code.

**Vulnerability Details**

**CVEID:**   CVE-2021-29907  
**DESCRIPTION:**   IBM OpenPages with Watson could allow an authenticated user to upload a file that could execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207633 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

IBM OpenPages with Watson versions v8.1 through v8.2

**Remediation/Fixes**

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:  

**Workarounds and Mitigations**

None

**References**

Off

None

**Acknowledgement**

The vulnerability was reported to IBM by Adam Murray

**Change History**

24 Aug 2021: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"8.2,8.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2021-29907: Security Bulletin: IBM OpenPages with Watson has addressed a remote code execution vulnerability (CVE-2021-29907)

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Azure AD Plugin
*   Code Coverage API Plugin
*   Nested View Plugin
*   Nomad Plugin
*   SAML Plugin

**Descriptions****RCE vulnerability in Code Coverage API Plugin**

**SECURITY-2376 / CVE-2021-21677**  
**Severity (CVSS):** High  
**Affected plugin: code-coverage-api**  
**Description:**

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

**SAML Plugin allows bypassing CSRF protection for any URL**

**SECURITY-2469 / CVE-2021-21678**  
**Severity (CVSS):** High  
**Affected plugin: saml**  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.

**Azure AD Plugin allows bypassing CSRF protection for any URL**

**SECURITY-2470 / CVE-2021-21679**  
**Severity (CVSS):** High  
**Affected plugin: azure-ad**  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Azure AD Plugin implements this extension point for URLs used by a JavaScript component.

In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.

Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.

**XXE vulnerability in Nested View Plugin**

**SECURITY-2411 / CVE-2021-21680**  
**Severity (CVSS):** High  
**Affected plugin: nested-view**  
**Description:**

Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

**Password stored in plain text by Nomad Plugin**

**SECURITY-2396 / CVE-2021-21681**  
**Severity (CVSS):** Low  
**Affected plugin: nomad**  
**Description:**

Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

**Severity**

*   SECURITY-2376: High
*   SECURITY-2396: Low
*   SECURITY-2411: High
*   SECURITY-2469: High
*   SECURITY-2470: High

**Affected Versions**

*   **Azure AD Plugin** up to and including 179.vf6841393099e
*   **Code Coverage API Plugin** up to and including 1.4.0
*   **Nested View Plugin** up to and including 1.20
*   **Nomad Plugin** up to and including 0.7.4
*   **SAML Plugin** up to and including 2.0.7

**Fix**

*   **Azure AD Plugin** should be updated to version 180.v8b1e80e6f242
*   **Code Coverage API Plugin** should be updated to version 1.4.1
*   **Nested View Plugin** should be updated to version 1.21
*   **Nomad Plugin** should be updated to version 0.7.5
*   **SAML Plugin** should be updated to version 2.0.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Brian Hysell, Synopsys Software Integrity Group** for SECURITY-2411
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2469, SECURITY-2470

CVE-2021-21678: Jenkins Security Advisory 2021-08-31

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVE-2021-21679: Jenkins Security Advisory 2021-08-31

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.

2021-08-16 14:00 (CEST) VDE-2021-027  

**Pepperl+Fuchs: WirelessHART-Gateway - Vulnerability may allow remote attackers to cause a Denial Of Service**  
Share: Email | Twitter  

**

Published

**

2021-08-16 14:00 (CEST)

**

Last update

**

2021-08-16 14:00 (CEST)

**Vendor(s)**

Pepperl+Fuchs SE  

**Product(s)**

Article No°

Product Name

Affected Version(s)

217229

WHA-GW-F2D2-0-AS- Z2-ETH

\= 3.0.7

217229

WHA-GW-F2D2-0-AS- Z2-ETH

\= 3.0.8

217229

WHA-GW-F2D2-0-AS- Z2-ETH

\= 3.0.9

252863

WHA-GW-F2D2-0-AS- Z2-ETH.EIP

\= 3.0.7

252863

WHA-GW-F2D2-0-AS- Z2-ETH.EIP

\= 3.0.8

252863

WHA-GW-F2D2-0-AS- Z2-ETH.EIP

\= 3.0.9

**

Summary

**

Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1.

The impact of the vulnerabilities on the affected device may result in

*   denial of service
*   remote code execution
*   code exposure

**

Vulnerabilities

**

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials._

**Weakness**

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.7 the filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into ..._

**Weakness**

Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable \_\_proto\_\_ property, ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containingelements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove some extra chars which results in the enclosed script logic ..._

**Weakness**

Cleartext Storage of Sensitive Information in a Cookie (CWE-315)

**Summary**

_Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the PEPPERL+FUCHS WirelessHART-Gateway 3.0.9._

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user's computer. ..._

**Weakness**

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (CWE-444)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 it is possible to inject arbitrary JavaScript into the application's response._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag._

**Weakness**

Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript._

**Summary**

_The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on ..._

**

Impact

**

Pepperl+Fuchs analyzed and identified affected devices.  
Remote attackers may exploit the vulnerability sending specially crafted packages that may result in a denial-of-service condition or code execution.

**Firmware Version**

**Affected by**

3.0.7

CVE-2020-11023, CVE-2020-11022, CVE-2020-7656, CVE-2019-11358, CVE-2016-10707, CVE-2015-9251, CVE-2014-6071, CVE-2012-6708, CVE-2011-4969, CVE-2007-2379, CVE-2021-33555, CVE-2021-34559, CVE-2021-34560, CVE-2021-34561, CVE-2021-34565

3.0.8

CVE-2020-11023, CVE-2020-11022, CVE-2020-7656, CVE-2019-11358, CVE-2016-10707, CVE-2015-9251, CVE-2014-6071, CVE-2012-6708, CVE-2011-4969, CVE-2007-2379, CVE-2021-34559, CVE-2021-34560, CVE-2021-34561, CVE-2021-34562, CVE-2021-34563, CVE-2021-34565

3.0.9

CVE-2021-34560, CVE-2021-34563, CVE-2021-34564, CVE-2013-0169, CVE-2021-34565

**

Solution

**

An external protective measure is required.

*   Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
*   Isolate affected products from the corporate network.
*   If remote access is required, use secure methods such as virtual private networks (VPNs).

**

Reported by

**

Pepperl+Fuchs  
Coordinated by CERT@VDE

CVE-2021-34565: VDE-2021-027 | CERT@VDE

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.

**Report on vulnerability CVE-2021-36981 "Insecure Java deserialization of untrusted data".**

*   Subject: Unsafe Java deserialization of untrusted data, leading to Remote Code Execution (authenticated)
*   CVE ID#: CVE-2021-36981
*   Versions: All versions of verinice/verinice.PRO before 1.22.2
*   Summary: A vulnerability in the communication between the client and server components can be used by an authenticated user to execute arbitrary code on the server.

**1\. Description**

verinice uses Java serialization as a communication channel between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework being used is susceptible to exploits that can be used to cause execution of arbitrary code on the server component. The verinice.TEAM has confirmed the vulnerability.

Since this server component is also used in the standalone mode of verinice, it could theoretically be used for local attacks of the verinice client-only product by a malicious user. A malicious user on the same machine could execute arbitrary commands on the local host but with the permissions and context of the user running the verinice client. This second attack variant was not verified by us but as a cautionary measure we recommend all standalone-client users to install the available patch as well.

The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and extract information, including all data in the verinice database.

**2\. Patch Availability**

An updated version of packages has been released to fix the issue. All users should install version 1.22.2 or later from the official repositories and/or the online shop:

*   https://shop.verinice.com
*   https://update.verinice.com

Users of the verinice.PRO server should install the available RPM packages using their established update procedure.

Users of the verinice standalone client version will be offered to install the updated version during startup. If the automated update mechanism has been disabled by the user, the update can be manually triggered by accessing the following menu item:

**_Help -> Check for Updates_**

**3\. CVSSv3 calculation**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

**4\. Workaround and mitigating factors**

A user with valid verinice application credentials (i.e. name and password) and network access to the HTTP(S) port (usually one of: 80/443/8080/8443) is required to execute the attack. The user does not need administrative privileges or any particular rights within verinice for the attack to work.

**5\. Timeline**

*   2021-07-14 – Frank Nusko of Secianus GmbH notified SerNet about the bug
*   2021-08-02 – SerNet has patch ready on source branch for testing
*   2021-08-12 – Secianus verified the patch
*   2021-08-30 – verinice 1.22.2 released, customers notified

_Reported by Frank Nusko, Secianus GmbH._

_Advisory written by the verinice.TEAM of SerNet GmbH._

_The verinice.TEAM provided the fix._

**Questions or problems with your update?**

Please feel free to contact us – we're here to help you!

Send Mail

CVE-2021-36981: Security Advisory

Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'.

**1.XSS**

Examples:

    python3 -m simiki.cli new -t "Hello Simiki<svg/onload=alert(1)>" -c first-catetory
    
    python3 -m simiki.cli g
    python3 -m simiki.cli p
    
    

The affected file appears to be  
https://github.com/tankywoo/simiki/blob/master/simiki/generators.py Line 54

By default, jinja2 sets autoescape to False. Consider using autoescape=True or use the select\_autoescape function to mitigate XSS vulnerabilities.

**2.RCE**

https://github.com/tankywoo/simiki/blob/master/simiki/config.py line 64  
Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe\_load().

This can lead to remote code execution.

When simiki loads a malicious \_config.xml file.

Payload：

    !!python/object/new:os.system ["/Applications/Calculator.app/Contents/MacOS/Calculator"]
    

When using smiik again, smiik will load \_config.yml and cause remote code execution

Tag

#rce