#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk ThinManager Vulnerabilities: Missing Authentication For Critical Function, Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device resulting in database manipulation or a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Rockwell Automation FactoryTalk product versions are affected: ThinManager: Versions 11.2.0 to 11.2.9 ThinManager: Versions 12.0.0 to 12.0.7 ThinManager: Versions 12.1.0 to 12.1.8 ThinManager: Versions 13.0.0 to 13.0.5 ThinManager: Versions 13.1.0 to 13.1.3 ThinManager: Versions 13.2.0 to 13.2.2 ThinManager: Version 14.0.0 3.2 Vulnerability Overview 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 An authentication vulnerability exists in the affected product. The vulnerability could al...

In the modern, browser-centric workplace, the corporate identity acts as the frontline defense for organizations. Often referred to as “the new perimeter”, the identity stands between safe data management and potential breaches. However, a new report reveals how enterprises are often unaware of how their identities are being used across various platforms. This leaves them vulnerable to data

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. "The plugin suffers from an unauthenticated privilege escalation vulnerability

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.

JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component `/onlDragDatasetHead/getTotalData`.

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.

A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.