#web

Reportico 7.1.21 is vulnerable to Cross Site Scripting (XSS).

A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

A vulnerability was found in SourceCodester Company Website CMS 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /dashboard/createblog of the component Create Blog Page. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-244310 is the identifier assigned to this vulnerability.

A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

By Owais Sultan India Blockchain Week (IBW), the country’s flagship series of blockchain and Web3 events held in Bangalore from Dec.4-10, is… This is a post from HackRead.com Read the original post: India Blockchain Week (IBW) Unveils Diverse Speaker Line-up

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: SpaceLogic C-Bus Toolkit Vulnerabilities: Improper Privilege Management, Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, which could result in tampering of the SpaceLogic C-Bus home automation system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric products are affected: SpaceLogic C-Bus Toolkit: Versions 1.16.3 and prior 3.2 Vulnerability Overview 3.2.1 Improper Privilege Management CWE-269 Schneider Electric's SpaceLogic C-Bus Toolkit product is vulnerable due to improper privilege management, which could cause remote code execution when the transfer command is used over the network. CVE-2023-5402 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Red Lion Equipment: FlexEdge Gateway, DA50A, DA70A running Crimson Vulnerability: Improper Neutralization of Null Byte or NUL Character 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to truncate passwords configured by the Crimson configuration tool which could create weaker than intended credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Red Lion products are affected: Crimson: v3.2.0053.18 or prior 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF NULL BYTE OR NUL CHARACTER CWE-158 The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered....

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.3 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Franklin Fueling System Equipment: TS-550 Vulnerability: Use of Password Hash with Insufficient Computational Effort 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access the device and gain unauthenticated access. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Franklin Fueling System TS-550, are affected: TS-550: All versions prior to 1.9.23.8960 3.2 Vulnerability Overview 3.2.1 USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916 Franklin Fueling System TS-550 versions prior to 1.9.23.8960 are vulnerable to attackers decoding admin credentials, resulting in unauthenticated access to the device. CVE-2023-5846 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). 3.3 BACK...