#web

1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity  Vendor: CODESYS, GmbH  Equipment: CODESYS Development System  Vulnerability: Insufficient Verification of Data Authenticity.  2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute a-man-in-the-middle (MITM) attack to execute arbitrary code.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS CODESYS reports this vulnerability affects the following versions of CODESYS Development System:  CODESYS Development System: versions from 3.5.11.0 and prior to 3.5.19.20  3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345  In CODESYS Development System versions from 3.5.11.0 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.  CVE-2023-3663 has been assigned to this vulnerability. A CVSS v3 base scor...

1. EXECUTIVE SUMMARY ​CVSS v3 8.6  ​ATTENTION: Exploitable remotely/low attack complexity  ​Vendor: Rockwell Automation   ​Equipment: 1734-AENT/1734-AENTR Series C, 1734-AENT/1734-AENTR Series B, 1738-AENT/ 1738-AENTR Series B, 1794-AENTR Series A, 1732E-16CFGM12QCWR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-12X4M12P5QCDR Series A, 1732E-16CFGM12P5QCWR Series B, 1732E-IB16M12R Series B, 1732E-OB16M12R Series B, 1732E-16CFGM12R Series B, 1732E-IB16M12DR Series B, 1732E-OB16M12DR Series B, 1732E-8X8M12DR Series B, 1799ER-IQ10XOQ10 Series B  ​Vulnerability: Out-of-Bounds Write  2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.   3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​The following versions of select Input/Output Modules from Rockwell Automation are affected:  ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior   ​1734-AENT/173...

1. EXECUTIVE SUMMARY CVSS v3 3.3  ATTENTION: low attack complexity  Vendor: CODESYS, GmbH  Equipment: CODESYS Development System  Vulnerability: Improper Restriction of Excessive Authentication Attempts.  2. RISK EVALUATION Successful exploitation of this vulnerability could provide a local attacker with account information.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS CODESYS reports this vulnerability affects the following versions of CODESYS Development System:  CODESYS Development System: versions prior to 3.5.19.20  3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345  A missing brute-force protection in CODESYS Development System prior to 3.5.19.20 could allow a local attacker to have unlimited attempts of guessing the password within an import dialog.  CVE-2023-3669 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).  3.3 BACKGROUND CRITICAL IN...

Public Wi-Fi, which has long since become the norm, poses threats to not only individual users but also businesses. With the rise of remote work, people can now work from virtually anywhere: a cafe close to home, a hotel in a different city, or even while waiting for a plane at the airport. Next, let's explore the risks of connecting to public Wi-Fi, both for you personally and for businesses.

Thousands of Openfire XMPP servers are unpatched against a recently disclosed high-severity flaw and are susceptible to a new exploit, according to a new report from VulnCheck. Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire's administrative console that could permit an unauthenticated attacker to access otherwise restricted

The vulnerability exists in CP-Plus NVR due to an improper input handling at the web-based management interface of the affected product. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable device. Successful exploitation of this vulnerability could allow the remote attacker to obtain sensitive information on the targeted device.

The vulnerability exists in CP-Plus DVR due to an improper input validation within the web-based management interface of the affected products. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable device. Successful exploitation of this vulnerability could allow the remote attacker to change system time of the targeted device.

A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device.

By Deeba Ahmed Akira ransomware operators specialize in targeting corporate endpoints for stealing sensitive data. This is a post from HackRead.com Read the original post: New Akira Ransomware Targets Businesses via Exploited CISCO VPNs

Cross Site Scripting (XSS) vulnerability in sourcecodester Student Study Center Desk Management System 1.0 allows attackers to run arbitrary code via crafted GET request to web application URL.