#auth

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Voltronic Power, PowerShield Equipment: Viewpower, NetGuard Vulnerabilities: Exposed Dangerous Method or Function, Forced Browsing 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthenticated attacker remotely to make configuration changes, resulting in shutting down UPS connected devices or execution of arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Voltronic Power and PowerShield UPS monitoring software is affected, as well as other derivative products: Voltronic Power Viewpower: Version 1.04-24215 and prior Voltronic Power ViewPower Pro: Version 2.2165 and prior Powershield NetGuard: Version 1.04-22119 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749 The UPS management software normally allows a properly authenticated and authorized user using a web interface to configure the s...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: FESTO, FESTO Didactic Equipment: CIROS Studio / Education, Automation Suite, FluidDraw, FluidSIM, MES-PC Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS FESTO, FESTO Didactic reports that the following products are affected: FESTO Didactic CIROS Studio / Education: 6.0.0 - 6.4.6 FESTO Didactic CIROS Studio / Education: 7.0.0 - 7.1.7 FESTO Festo Automation Suite: <= 2.6.0.481 FESTO FluidDraw: P6 <= 6.2k FESTO FluidDraw: 365 <= 7.0a FESTO Didactic FluidSIM: 5 all versions FESTO Didactic FluidSIM: 6 <= 6.1c FESTO Didactic MES-PC: shipped before December 2023 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network servi...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Modular Switchgear Monitoring (MSM) Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to execute untrusted code, potentially leading to unauthorized actions or system compromise. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports the following products are affected: Hitachi Energy MSM: Version 2.2.9 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may result in the execution of untrusted code. CVE-2020-11022 has b...

Scammers are exploiting Microsoft 365 Direct Send to spoof internal emails targeting US firms bypassing security filters with…

Facebook's pursuit of your personal data continues, and now it has a new target: photos on your phone that you haven't shared with it yet.

No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.

Microsoft has said that it's ending support for passwords in its Authenticator app starting August 1, 2025. The changes, the company said, are part of its efforts to streamline autofill in the two-factor authentication (2FA) app. "Starting July 2025, the autofill feature in Authenticator will stop working, and from August 2025, passwords will no longer be accessible in Authenticator," Microsoft

The US Justice Department revealed the identity theft number along with one arrest and a crackdown on “laptop farms” that allegedly facilitate North Korean tech worker impersonators across the US.

### Summary A command injection vulnerability exists in the `git-mcp-server` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes tools (`git_add`, `git_init`, `git_logs`, etcc) to perform several git operations. An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. Below some example of vulnerable code and different ways to test this vulnerability including a real example of indirect prompt injection that can lead to arbitrary command injection...

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.