#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Subnet Solutions Inc. Equipment: PowerSYSTEM Center Vulnerabilities: Server-Side Request Forgery (SSRF), Inefficient Regular Expression Complexity, Cross-Site Request Forgery (CSRF) 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of PowerSYSTEM Center are affected: PowerSYSTEM Center: PSC 2020 v5.21.x and prior 3.2 Vulnerability Overview 3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918 Vulnerable versions of PowerSYSTEM Center utilize Axios NPM package 0.21.0, which contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. CVE-2020-28168 has been assi...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Electronics Equipment: DIAEnergie Vulnerabilities: SQL Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to retrieve records or cause a denial of service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected: DIAEnergie: Versions v1.10.01.008 and prior. 3.2 Vulnerability Overview 3.2.1 SQL Injection CWE-89 Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product. CVE-2024-43699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculat...

The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America.

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

INTERPOL has announced the arrest of eight individuals in Côte d'Ivoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud. Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes in West Africa, the agency said. One such threat involved a large-scale phishing scam targeting Swiss citizens that resulted in financial losses to the tune

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

IBM recently released their 2024 X-Force Cloud Threat Landscape Report.According to IBM, this report “provides a global cross-industry perspective on how threat actors are compromising cloud environments, the malicious activities they’re conducting once inside compromised networks and the impact it’s having on organizations.”Within the threat landscape report and as a part of IBM’s collaboration with Red Hat Insights, IBM X-Force analyzed and assessed data from the Red Hat Insights compliance service to understand what the most common failures are across all the policy types that are

Organizations can use this guide to make decisions about designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as to enable business continuity for critical services.

### Impact We've identified a vulnerability in the Pomerium databroker service API that may grant unintended access under specific conditions. This affects only certain Pomerium Zero and Pomerium Enterprise deployments. #### Who is affected? A Pomerium deployment is susceptible to this issue if _all_ of the following conditions are met: - You have issued a [service account](https://www.pomerium.com/docs/capabilities/service-accounts) access token using Pomerium Zero or Pomerium Enterprise. - The access token has an explicit expiration date in the future. - The core Pomerium databroker gRPC API is not otherwise secured by network access controls. If your deployment does not meet _all_ of these conditions, you are not affected by this vulnerability. #### Details The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by...

Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.