Tag
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon Controllers Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Modicon Controllers M241: Versions prior to 5.3.12.51 Modicon Controllers M251: Versions prior to 5.3.12.51 Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117) Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) 3.2 VULNERABILITY OVERVIEW 3.2.1 ...
Salt Typhoon, a China-linked group, is exploiting router flaws to spy on global telecoms, warns a joint FBI and Canadian advisory issued in June 2025.
Citizen Lab and Google uncovered a new, sophisticated cyberattack linked to Russian state actors that exploits App-Specific Passwords, bypassing Multi-Factor Authentication. Discover how to protect yourself from these evolving threats.
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.5 ATTENTION: Exploitable remotely Vendor: AVEVA Equipment: PI Web API Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disable content security policy protections. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of AVEVA PI Web API are affected: PI Web API: Versions 2023 SP1 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 A cross-site scripting vulnerability exists in PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser. CVE-2025-2745 has been assign...
Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.
### Impact The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. ### Patches The issue is fixed in https://github.com/barryvdh/laravel-translation-manager/pull/475 which is released in version 0.6.8 ### Workarounds Only authenticated users with access to the translation manager are impacted. ### References [[PT-2025-04] laravel translation manager.pdf](https://github.com/user-attachments/files/20639250/PT-2025-04.laravel.translation.manager.pdf) ### Reported by Positive Technologies (Artem Deikov, Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Danilov, Stanislav Gleym)
A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs…
Europol targets extremist online content exploiting minors, tackling rising use of AI, propaganda, and grooming across Europe’s digital platforms.
The US Department of the Treasury has taken action against Funnull Technology Inc. for enabling massive pig butchering…
The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams, commonly known as “pig butchering." In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.