#web

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: ThinManager ThinServer Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely delete arbitrary files with system privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software: ThinManager ThinServer: Versions 11.0.0-11.0.6 ThinManager ThinServer: Versions 11.1.0-11.1.6 ThinManager ThinServer: Versions 11.2.0-11.2.6 ThinManager ThinServer: Versions 12.1.0-12.1.6 ThinManager ThinServer: Versions 12.0.0-12.0.5 ThinManager ThinServer: Versions 13.0.0-13.0.2 ThinManager ThinServer: Version 13.1.0 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 Due to improper input validation, an integer o...

1. EXECUTIVE SUMMARY ​CVSS v3 9.6 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: Hitachi Energy ​Equipment: AFF66x ​Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values, Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, NULL Pointer Dereference 2. RISK EVALUATION ​Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​Hitachi Energy reports these vulnerabilities affect the following AFF660/665 products: ​AFF660/665: Firmware 03.0.02 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 ​CROSS-SITE SCRIPTING CWE-79 ​In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection...

1. EXECUTIVE SUMMARY ​CVSS v3 6.8 ​ATTENTION: Low attack complexity ​Vendor: Trane ​Equipment: XL824, XL850, XL1050, and Pivot thermostats ​Vulnerability: Injection 2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​Trane reports this vulnerability affects the following thermostats: ​Trane Technologies XL824 Thermostat: Firmware versions 5.9.8 and earlier ​Trane Technologies XL850 Thermostat: Firmware versions 5.9.8 and earlier  ​Trane Technologies XL1050 Thermostat: Firmware versions 5.9.8 and earlier ​Trane Technologies Pivot Thermostat: Firmware versions 1.8 and earlier 3.2 VULNERABILITY OVERVIEW 3.2.1 ​INJECTION CWE-74 ​A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requ...

By Deeba Ahmed Hundreds of impacted retailers could not process payments, complete orders, or trade online due to the attack on Swan Retail. This is a post from HackRead.com Read the original post: Cyberattack on UK IT Firm Swan Retail Affects 300 Retailers

Unlike web browsers, mobile apps increasingly make it difficult or impossible to see what companies are really doing with your data. The answer? An inspectability API.

Categories: Personal Malwarebytes' new Trusted Advisor makes security easy with a comprehensive, at-a-glance, real-time assessment. (Read more...) The post Trusted Advisor puts you in the security driving seat appeared first on Malwarebytes Labs.

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." "The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application

A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability.

By Waqas Bronze Starlight hackers have been cleverly utilizing a valid Ivacy VPN code-signing certificate to target the Southeast Asian gambling industry. This is a post from HackRead.com Read the original post: Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware