#vulnerability

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls, Inc. Equipment: Web Service Vulnerability: Use of GET Request Method With Sensitive Query Strings 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Johnson Controls exacqVision Web Service are affected: exacqVision Web Service: Versions 24.03 and prior 3.2 Vulnerability Overview 3.2.1 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598 Under certain circumstances exacqVision Web Service versions 24.03 and prior can expose authentication token details within communications. CVE-2024-32931 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Comme...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules Vulnerability: Unprotected Alternate Channel 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute CIP programming and configuration commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules are affected: ControlLogix: Version V28 GuardLogix: Version V31 1756-EN4TR: Version V2 1756-EN2T, Series A/B/C (unsigned version): Version v5.007 1756-EN2F, Series A/B (unsigned version): Version v5.007 1756-EN2TR, Series A/B (unsigned version): Version v5.007 1756-EN3TR, Series B (unsigned version): Version v5.007 1756-EN2T, Series A/B/C (signed version): Version v5.027 1756-EN2F, Series A/B (signed version): Version v5.027 1756-EN2TR, Series A/B (signed version): Version v5.027 1...

How to detect and prevent attackers from using these various techniques Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it. What Is Obfuscation? Obfuscation is the technique of intentionally making information difficult to read, especially in

The RayV Lite will make it hundreds of times cheaper for anyone to carry out physics-bending feats of hardware hacking.

An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the `sendMail` function located in the `beego/core/logs/smtp.go` file.

An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the `getCacheFileName` function in the `file.go` file.

### Impact ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. ### Patches 2.x versions are fixed on >= [2.58.1](https://github.com/zitadel/zitadel/releases/tag/v2.58.1) 2.57.x versions are fixed on >= [2.57.1](https://github.com/zitadel/zitadel/releases/tag/v2.57.1) 2.56.x versions are fixed on >= [2.56.2](https://github.com/zitadel/zitadel/releases/tag/v2.56.2) 2.55.x versions are fixed on >= [2.55.5](https://github.com/zitadel/zitadel/releases/tag/v2.55.5) 2.54.x versions are fi...

### Impact ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. During investigation of this issue a related issue was found and mitigated, where on the user's detail page the username was not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. ### Patches 2.x versions are fixed on >= [2.58.1](https://github.com/zitadel/zitadel/releases/tag/...

### Impact An open redirect vulnerability exist in MobSF authentication view. PoC 1. Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser. 2. Enter credentials and press "Sign In". 3. You will be redirected to [afine.com](http://afine.com/) Users who are not using authentication are not impacted. ### Patches Update to MobSF v4.0.5 ### Workarounds Disable Authentication ### References Fix: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8 ### Reporter Marcin Węgłowski