Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Siemens Industrial Edge Devices

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Industrial Edge Devices Vulnerability: Weak Authentication 2. RISK EVALUATION Successful exploitation of the vulnerability could allow an unauthenticated attacker to bypass authentication and impersonate a legitimate user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Industrial Edge Own Device (IEOD): All versions prior to V1.21.1-1-a Siemens Industrial Edge Virtual Device: All versions prior to V1.21.1-1-a Siemens SCALANCE LPE9413 (6GK5998-3GS01-2AC2): All versions Siemens SIMATIC IPC127E In...

us-cert
#vulnerability#web#git#perl#auth
Subnet Solutions PowerSYSTEM Center

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Low attack complexity Vendor: Subnet Solutions Inc. Equipment: PowerSYSTEM Center (PSC) 2020 Vulnerabilities: Out-of-Bounds Read, Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Subnet Solutions products are affected: PowerSYSTEM Center 2020: Versions 5.24.x and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125 PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters. CVE-2025-31354 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). A CVSS v4 score has also been calculated for CVE-2025-3...

Siemens License Server

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.4 ATTENTION: Exploitable locally Vendor: Siemens Equipment: License Server Vulnerabilities: Improper Privilege Management, Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a low-privileged local user to escalate privileges or perform arbitrary code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: License Server (SLS): All versions before V4.3 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269 The affected application searches for executable files in the application folder without proper valida...

AkiraBot Targets 420,000 Sites with OpenAI-Generated Spam, Bypassing CAPTCHA Protections

Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO. "AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September

Hacker Claims WooCommerce Data Breach, Selling 4m User Records

A hacker using the alias “Satanic” claims a WooCommerce data breach via a third party, selling data on…

GHSA-rpq8-q44m-2rpg: Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs

### Impact _What kind of vulnerability is it? Who is impacted?_ **Description:** This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. **Impact:** The vulnerability impacts service logs that meet the following criteria: - **Logging Level:** Logs are generated at the information level. - **Credential Descriptions:** containing: - Local file paths with passwords. - Base64 encoded values. - Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. If your service log...

Protecting Your Business on the Move: A Modern Cybersecurity Guide

Stay secure on the move. Protect your devices, data, and privacy with smart habits, reliable gear, updated software…

New AkiraBot Abuses OpenAI API to Spam Website Contact Forms

Cybersecurity researchers have identified a new spam campaign driven by ‘AkiraBot,’ an AI-powered bot that targets small business…

GHSA-pm4j-p7pm-fpvx: Apache ActiveMQ Artemis Vulnerable to Insertion of Sensitive Information into Log File

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue.

Lovable AI Found Most Vulnerable to VibeScamming — Enabling Anyone to Build Live Scam Pages

Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. "As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly