#web

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the country, state, locality, organization, and hostname HTTP POST parameters called by the sslCertAjax.php script.

Ubuntu Security Notice 7014-3 - USN-7014-1 fixed a vulnerability in nginx. This update provides the corresponding update for Ubuntu 14.04 LTS. It was discovered that the nginx ngx_http_mp4 module incorrectly handled certain malformed mp4 files. In environments where the mp4 directive is in use, a remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service.

Dolibarr version 20.0.1 suffers from a remote SQL injection vulnerability.

The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling. In PyO3 0.22.4 these functions have all been deprecated and patched to leak a strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.

Red Hat Security Advisory 2024-8131-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2024-8113-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.3 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.

The US presidential election is stirring fears amongst a third of people who worry that their vote could be exposed to outsiders.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Data Center Expert Vulnerability: Improper Verification of Cryptographic Signature, Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access private data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following versions of Data Center Expert, a monitoring software, are affected: Data Center Expert: Versions 8.1.1.3 and prior 3.2 Vulnerability Overview 3.2.1 Improper Verification of Cryptographic Signature CWE-347 An improper verification of cryptographic signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root. CVE-2024-8531 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calcu...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Exploitable from an adjacent network Vendor: Siemens Equipment: Siveillance Video Camera Vulnerability: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens Siveillance Video Camera are affected: Siveillance Video Camera: All versions prior to V13.2 3.2 Vulnerability Overview 3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120 A possible buffer overflow in selected cameras' drivers from XProtect Device Pack can allow an attacker with ac...

Global Intelligence claims its Cybercheck technology can help cops find key evidence to nail a case. But a WIRED investigation reveals the smoking gun often appears far less solid.