#web

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Industrial Edge Devices Vulnerability: Weak Authentication 2. RISK EVALUATION Successful exploitation of the vulnerability could allow an unauthenticated attacker to bypass authentication and impersonate a legitimate user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Industrial Edge Own Device (IEOD): All versions prior to V1.21.1-1-a Siemens Industrial Edge Virtual Device: All versions prior to V1.21.1-1-a Siemens SCALANCE LPE9413 (6GK5998-3GS01-2AC2): All versions Siemens SIMATIC IPC127E In...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Low attack complexity Vendor: Subnet Solutions Inc. Equipment: PowerSYSTEM Center (PSC) 2020 Vulnerabilities: Out-of-Bounds Read, Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Subnet Solutions products are affected: PowerSYSTEM Center 2020: Versions 5.24.x and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125 PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters. CVE-2025-31354 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). A CVSS v4 score has also been calculated for CVE-2025-3...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.4 ATTENTION: Exploitable locally Vendor: Siemens Equipment: License Server Vulnerabilities: Improper Privilege Management, Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a low-privileged local user to escalate privileges or perform arbitrary code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: License Server (SLS): All versions before V4.3 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269 The affected application searches for executable files in the application folder without proper valida...

Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO. "AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September

A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on…

### Impact _What kind of vulnerability is it? Who is impacted?_ **Description:** This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. **Impact:** The vulnerability impacts service logs that meet the following criteria: - **Logging Level:** Logs are generated at the information level. - **Credential Descriptions:** containing: - Local file paths with passwords. - Base64 encoded values. - Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. If your service log...

Stay secure on the move. Protect your devices, data, and privacy with smart habits, reliable gear, updated software…

Cybersecurity researchers have identified a new spam campaign driven by ‘AkiraBot,’ an AI-powered bot that targets small business…

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue.

Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. "As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly