#vulnerability

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable from adjacent network Vendor: Hitachi Energy Equipment: SDM600 Vulnerabilities: Origin Validation Error, Incorrect Authorization 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and access sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Hitachi Energy SDM600: Versions prior to 1.3.4 3.2 Vulnerability Overview 3.2.1 ORIGIN VALIDATION ERROR CWE-346 A vulnerability exists in the too permissive HTTP response header web server settings of the SDM600. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information. CVE-2024-2377 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H). 3.2.2 INCORRECT AUTHORIZATION CWE-863 A vuln...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely Vendor: Hitachi Energy Equipment: RTU500 series CMU Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Hitachi Energy products are affected: RTU500 series CMU Firmware: Versions 12.0.1 through 12.0.14 RTU500 series CMU Firmware: Versions 12.2.1 through 12.2.11 RTU500 series CMU Firmware: Versions 12.4.1 through 12.4.11 RTU500 series CMU Firmware: Versions 12.6.1 through 12.6.9 RTU500 series CMU Firmware: Versions 12.7.1 through 12.7.6 RTU500 series CMU Firmware: Versions 13.2.1 through 13.2.6 RTU500 series CMU Firmware: Versions 13.4.1 through 13.4.3 RTU500 series CMU Firmware: Version 13.5.1 3.2 Vulnerability Overview 3.2.1 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon Controllers Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a victim's browser to run arbitrary JavaScript when visiting a page containing injected payload. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Modicon Controllers M258 / LMC058: All versions Schneider Electric Modicon Controllers M262: Versions prior to 5.2.8.26 Schneider Electric Modicon Controllers M251: Versions prior to 5.2.11.24 Schneider Electric Modicon Controllers M241: Versions prior to 5.2.11.24 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 A Cross-site Scripting  vulnerability exists  where an attacker could cause a victim's brows...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Accutech Manager Vulnerability: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation could allow an attacker to cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Accutech Manager: Versions 2.08.01 and prior 3.2 Vulnerability Overview 3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120 A Classic Buffer Overflow vulnerability exists that could cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP. CVE-2024-6918 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.3 BACKGROUND ...

This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about  malicious Windows drivers.

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information. The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. "A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files," the

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xrh7-2gfq-4rcq. This link is maintained to preserve external references. ## Original Description OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.