#web

The guidance within ISO 27001 identifies which security controls are appropriate, while ISO 27002 describes the controls in detail and how they can be implemented.

1. EXECUTIVE SUMMARY ​CVSS v3 9.8  ​ATTENTION: Exploitable remotely/low attack complexity/public exploits are available ​Vendor: GeoVision ​Equipment: GV-ADR2701 ​Vulnerabilities: Improper Authentication 2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow an attacker to log in to the camera’s web application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​GeoVision reports this vulnerability affects the following GV-ADR2701 cameras:  ​GV-ADR2701: Version V1.00_2017_12_15 3.2 VULNERABILITY OVERVIEW 3.2.1 ​IMPROPER AUTHENTICATION CWE-287 ​In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application. ​CVE-2023-3638 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 3.3 BACKGROUND ​CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities ​COUNTRIES/AREAS DEPLOYED: Worldwide ​COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEAR...

1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: WellinTech Equipment: KingHistorian Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Signed to Unsigned Conversion Error 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or send malicious data which can lead to a buffer overflow. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of WellinTech KingHistorian, a time-series database, are affected: KingHistorian: version 35.01.00.05 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this v...

1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Iagona Equipment: ScrutisWeb Vulnerabilities: Absolute Path Traversal, Authorization Bypass Through User-Controlled Key, Use of Hard-coded Cryptographic Key, Unrestricted Upload of File with Dangerous Type 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to upload and execute arbitrary files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Iagona ScrutisWeb, a web application, are affected: ScrutisWeb: Version 2.1.37 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 ABSOLUTE PATH TRAVERSAL CWE-36 Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot. CVE-2023-33871 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H...

1. EXECUTIVE SUMMARY CVSS v3 6.6 ATTENTION: Low attack complexity Vendor: GE Digital Equipment: CIMPLICITY Vulnerability: Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause memory corruption issues resulting in unwanted behavior such as code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following GE Digital products are affected:  CIMPLICITY: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer overflows, uninitialized pointers, and a heap-based buffer overflow. Successful exploitation could allow an attacker to execute arbitrary code. CVE-2023-3463 has been assigned to this vulnera...

1. EXECUTIVE SUMMARY CVSS v3 7.5  ATTENTION: Exploitable remotely/low attack complexity   Vendor: Rockwell Automation  Equipment: Kinetix 5700  Vulnerability: Uncontrolled Resource Consumption  2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service attack. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Rockwell Automation Kinetix 5700 DC Bus Power Supply is affected:  Kinetix 5700: V13.001 3.2 VULNERABILITY OVERVIEW 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 The Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing. The new ENIP connections cannot be established if impacted by this vulnerability, which prohibits operational capabilities of the device resulting in a denial-of-service attack. CVE-2023-2263 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SE...

1. EXECUTIVE SUMMARY ​CVSS v3 9.8 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: Weintek ​Equipment: Weincloud ​Vulnerabilities: Weak Password Recovery Mechanism for Forgotten Password, Improper Authentication, Improper Restriction of Excessive Authentication Attempts, Improper Handling of Structural Elements 2. RISK EVALUATION ​Successful exploitation of these vulnerabilities could allow an attacker to utilize the JSON web token (JWT) to reset account passwords, use expired credentials, perform brute force attacks on credentials, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​The following Weintek Weincloud versions are affected:  ​Account API: Versions 0.13.6 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 ​WEAK PASSWORD RECOVERY MECHANISM FOR FORGOTTEN PASSWORD CWE-640 ​The affected product could allow an attacker to reset a password with the corresponding account’s JWT token only. ​CVE-2023-35134 has been assigned to this vulnerabil...

1. EXECUTIVE SUMMARY ​CVSS v3 7.8 ​ATTENTION: Low attack complexity ​Vendor: Keysight Technologies ​Equipment: N6854A Geolocation Server ​Vulnerabilities: Exposed Dangerous Method or Function, Relative Path Traversal 2. RISK EVALUATION ​Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, execute arbitrary code, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​The following Keysight monitoring products are affected:  ​N6854A Geolocation Server versions 2.4.2 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 ​EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749 ​In Keysight Geolocation Server v2.4.2 and prior, a low privileged attacker could create a local ZIP file containing a malicious script in any location. The attacker could abuse this to load a DLL with SYSTEM privileges. ​CVE-2023-36853 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L...

By Deeba Ahmed The fake flyer was emailed on 4 May 2023 to multiple diplomatic missions in Kyiv. This is a post from HackRead.com Read the original post: Phishers Targeting Diplomats in Kyiv with Fake 2011 BMW Flyers

Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, have leaked on the internet. The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by Der Spiegel and Der Standard yesterday. Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of