Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Siemens SCALANCE and RUGGEDCOM

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE and RUGGEDCOM Vulnerabilities: Incorrect Authorization, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to circumvent authorization checks and perform actions that exceed the permissions of the "guest" role. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens RUGGEDCOM RST2428P (6GK6242-6PA00): All versions prior to V3.2 Siemens SCALANCE XCM324 (6GK5324-8TS...

us-cert
#vulnerability#web#git#auth
Non-Human Identities: How to Address the Expanding Security Risk

Human identities management and control is pretty well done with its set of dedicated tools, frameworks, and best practices. This is a very different world when it comes to Non-human identities also referred to as machine identities. GitGuardian’s end-to-end NHI security platform is here to close the gap. Enterprises are Losing Track of Their Machine Identities Machine identities–service

ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

ConnectWise has disclosed that it's planning to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions.

CISA Warns of Remote Control Flaws in SinoTrack GPS Trackers

The US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations. Discover the vulnerabilities and essential steps to secure your device.

GHSA-4c2h-67qq-vm87: Citizen skin vulnerable to stored XSS through multiple system messages

Various system messages are inserted by the Citizen skin in multiple places without proper sanitization. ## 1 - Command Palette Tips ### Summary Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The messages are retrieved using the `plain()` output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 `currentTip` is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 `currentTip` is inserted as raw HTML (`vue/no-v-html` should *not* be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/reso...

23andMe raked by Congress on privacy, sale of genetic data

In a senate hearing, 23andMe was questioned about the impending take-over of the company and its trove of genetic data

GHSA-266m-wp2v-x7mq: Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability

# Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by placing files in particular locations, leading to unintended code execution. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/116495 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.16 or earlier. * Any .NET 9.0 application running on .NET 9.0.5 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any M...

GHSA-v33j-v3x4-42qg: Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

Given this Hurl file: regex.hurl: ``` GET https://foo.com HTTP 200 [Asserts] jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/ ``` When exported to HTML: ``` $ hurlfmt --out html regex.hurl <pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span> </span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span> <span class="line"><span class="section-header">[Asserts]</span></span> <span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span> </span></span><span class="line"></span> </code></pre> ``` The regex literal `/<img src="" onerror="alert('Hi!')">/` is not escaped: `<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span...

GHSA-79xg-q4qm-7v9w: CWA-2025-006: wasmd's improper error handling may lead to IBC channel opening despite error

# CWA-2025-006: Improper error handling may lead to IBC channel opening despite error **Severity** High (Considerable + Likely)[^1] **Affected versions:** - wasmd 0.60.0 - wasmd >= 0.51.0 < 0.55.1 **Patched versions:** - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 ## Description of the bug A contract erroring during IBC channel opening does not prevent the channel from opening. ## Applying the patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1 or 0.53.3; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same vers...

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.