#auth

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: ASKI Energy Equipment: ALS-Mini-S8, ALS-mini-s4 IP Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain full control over the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ASKI Energy products are affected: ALS-mini-s4 IP (serial number from 2000 to 5166): All versions ALS-mini-s8 IP (serial number from 2000 to 5166): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Missing Authentication for Critical Function CWE-306 A critical severity missing authentication vulnerability exists in the embedded web server of the ALS-mini-S4/S8 IP controllers. There is a lack of authentication functionality. Specifically, an attacker can read and modify product configuration parameters without being authenticated. CVE-2025-9574 has been assigned to this vulnerability. A CVSS v3.1 ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: Productivity Suite Vulnerabilities: Relative Path Traversal, Weak Password Recovery Mechanism for Forgotten Password, Incorrect Permission Assignment for Critical Resource, Binding to an Unrestricted IP Address 2. RISK EVALUATION Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code, disclose information, gain full-control access to projects, or obtain read and write access to files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following AutomationDirect Productivity PLCs are affected: Productivity Suite: V4.2.1.9 and prior Productivity 3000 P3-622 CPU: SW v4.4.1.19 and prior Productivity 3000 P3-550E CPU: SW v4.4.1.19 and prior Productivity 3000 P3-530 CPU: SW v4.4.1.19 and prior Productivity 2000 P2-622 CPU: SW v4.4.1.19 and prior Productivity 2000 P2-550 CPU: SW v4.4.1.19 and prior Productivity 1000 P1-55...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Veeder-Root Equipment: TLS4B Automatic Tank Gauge System Vulnerabilities: Improper Neutralization of Special Elements used in a Command ('Command Injection'), Integer Overflow or Wraparound 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to execute system-level commands, gain full shell access, achieve remote command execution, move laterally within the network, trigger a denial of service condition, cause administrative lockout, and disrupt core system functionalities. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Veeder-Root TLS4B Automatic Tank Gauge System are affected: TLS4B: Versions prior to 11.A 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77 The TLS4B ATG system's SOAP-based interface is vulnerable due to its accessibility through the ...