#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.4 ATTENTION: Exploitable from adjacent network/Low attack complexity Vendor: IOSiX Equipment: IO-1020 Micro ELD Vulnerabilities: Use of Default Credentials, Download of Code Without Integrity Check 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an adjacent attacker to take control of vehicle systems by connecting to and modifying the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following IOSiX products are affected: IO-1020 Micro ELD: Versions prior to 360 3.2 Vulnerability Overview 3.2.1 USE OF DEFAULT CREDENTIALS CWE-1392 IO-1020 Micro ELD uses a default WIFI password that could allow an adjacent attacker to connect to the device. CVE-2024-30210 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2024-30210. A base score of 8.5 has been calc...

** DISPUTED ** A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as problematic. This issue affects some unknown processing of the component Add Portal Note. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The associated identifier of this vulnerability is VDB-258911. NOTE: The vendor explains that the PDF is opened by the browser app in a sandbox, so no data from the website should be accessible.

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

Researchers have uncovered a campaign that turns Android phones into proxy nodes for malicious purposes.

### Summary Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page. This access allows the following actions for example: - The ability for an attacker to gain access to all data stored within the admin page - The ability for an attacker to make any action within the admin page such as creating, modifying or deleting table records As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker. *N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file* ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ Currently, this requires the ability for a ...

Debian Linux Security Advisory 5651-1 - Two security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting or denial of service.

WordPress Gutenberg plugin version 18.0.0 suffers from a persistent cross site scripting vulnerability.

Gentoo Linux Security Advisory 202403-4 - A backdoor has been discovered in XZ utils that could lead to remote compromise of systems. Versions less than 5.6.0 are affected.

ARIS: Business Process Management version 10.0.21.0 suffers from a persistent cross site scripting vulnerability.

Millions lost internet service after three cables in the Red Sea were damaged. Houthi rebels deny targeting the cables, but their missile attack on a cargo ship, left adrift for months, is likely to blame.