#web

1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Phoenix Contact Equipment: TC ROUTER and TC CLOUD CLIENT Vulnerabilities: Cross-site Scripting, XML Entity Expansion 2. RISK EVALUATION Successful exploitation of this these vulnerabilities could execute code in the context of the user's browser or cause a denial of service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Phoenix contact reports that the following products are affected: TC ROUTER 3002T-4G: versions prior to 2.07.2 TC ROUTER 3002T-4G ATT: versions prior to 2.07.2 TC ROUTER 3002T-4G VZW: versions prior to 2.07.2 TC CLOUD CLIENT 1002-4G: versions prior to 2.07.2 TC CLOUD CLIENT 1002-4G ATT: versions prior to 2.07.2 TC CLOUD CLIENT 1002-4G VZW: versions prior to 2.07.2 CLOUD CLIENT 1101T-TX/TX: versions prior to 2.06.10 3.2 Vulnerability Overview 3.2.1 Cross-site Scripting CWE-79 In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as ...

1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Socomec Equipment: MOD3GP-SY-120K Vulnerabilities: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Storage of Sensitive Information, Reliance on Cookies without Validation and Integrity Checking, Code Injection, Plaintext Storage of a Password 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute malicious Javascript code, obtain sensitive information, or steal session cookies. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Socomec products are affected: MODULYS GP (MOD3GP-SY-120K): Web firmware v01.12.10 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into...

1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Dover Fueling Solutions Equipment: MAGLINK LX - Web Console Configuration Vulnerabilities: Authentication Bypass using an Alternate Path or Channel, Improper Access Control, Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of MAGLINK LX Web Console Configuration are affected: MAGLINK LX Web Console Configuration: version 2.5.1 MAGLINK LX Web Console Configuration: version 2.5.2 MAGLINK LX Web Console Configuration: version 2.5.3 MAGLINK LX Web Console Configuration: version 2.6.1 MAGLINK LX Web Console Configuration: version 2.11 MAGLINK LX Web Console Configuration: version 3.0 MAGLINK LX Web Console Configuration: version 3.2 MAGLINK LX Web Console Configuration: version 3.3 3.2 Vulnerability Overview 3.2.1 AUTHENTICATION BYPASS USING...

Here's how to request that your personal information not be used to train Meta's AI model. "Request" is the operative word here.

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4051: The Mozilla Foundation Security Advisory describes this flaw as: A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. * CVE-2023-4053: The Mozilla Foundation Security Advisory describes this flaw as: A website could have obscured the full scr...

By Owais Sultan GAM3S.GG Secures $2M Seed Funding Led by Mechanism Capital to Grow Web3 Gaming Superapp. This is a post from HackRead.com Read the original post: GAM3S.GG Raises $2M to Grow Web3 Gaming Superapp

Patches have been released to address two new security vulnerabilities in Apache SuperSet that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset’s metadata database. Outside of these

A Mirai botnet variant called Pandora has been observed infiltrating inexpensive Android-based TV sets and TV boxes and using them as part of a botnet to perform distributed denial-of-service (DDoS) attacks. Doctor Web said the compromises are likely to occur either during malicious firmware updates or when applications for viewing pirated video content are installed. "It is likely that this

Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forging tokens to access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained a crash dump of the consumer signing system that took place in April 2021 and steal the key. “A consumer

ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.