#web

Ubuntu Security Notice 6896-5 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

PPDB ONLINE version 1.3 appears to suffer from an administrative page disclosure issue.

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: AFS650, AFS660, AFS665, AFS670, AFS675, AFS677, AFR677 Vulnerabilities: Type Confusion, Use After Free, Double Free, Observable Discrepancy 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy AFS/AFR are affected: AFS650: Version 9.1.08 and prior AFS660-C: Version 7.1.05 and prior AFS665-B: Version 7.1.05 and prior AFS670-V2: Version 7.1.05 and prior AFS670: Version 9.1.08 and prior AFS675: Version 9.1.08 and prior AFS677: Version 9.1.08 and prior AFR677: Version 9.1.08 and prior 3.2 Vulnerability Overview 3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addr...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Low attack complexity Vendor: National Instruments Equipment: LabVIEW Vulnerabilities: Out-of-Bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a local attacker to disclose information and execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following National Instruments LabVIEW products are affected: LabVIEW: Versions 24.1f0 and prior 3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS READ CWE-125 LabVIEW is vulnerable to an out-of-bounds read, which could allow a local attacker to execute arbitrary code on affected installations of LabVIEW. User interaction is required to exploit the vulnerabilities in that the user must open a malicious VI file. CVE-2024-4079 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Low attack complexity Vendor: National Instruments Equipment: IO Trace Vulnerability: Stack-Based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a local attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following National Instruments I/O TRACE bundled products are affected: I/O TRACE: All versions 3.2 Vulnerability Overview 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. User interaction is required to exploit the vulnerability in that the user must open a malicious nitrace file. CVE-2024-5602 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-5602. A base score of 8.4 has been calc...

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web