#vulnerability

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: SESU Vulnerability: Improper Link Resolution Before File Access ('Link Following') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary data to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric SESU: <3.0.12 Schneider Electric SESU installed on Schneider Electric BESS ANSI: SESU versions prior to 3.0.12 Schneider Electric SESU installed on Schneider Electric Easergy MiCOM P30: SESU versions prior to 3.0.12 Schneider Electric SESU installed on Schneider Electric Easergy MiCOM P40: SESU ve...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Low attack complexity Vendor: Viessmann Equipment: Vitogate 300 Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Client-Side Enforcement of Server-Side Security 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to modify an intended OS command when it is sent to a downstream component, or allow an attacker to cause unexpected interactions between the client and server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Viessmann Vitogate 300 are affected: Vitogate 300: Versions prior to 3.1.0.1 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 Vitogate 300 constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could m...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3.1 6.8 ATTENTION: Exploitable remotely Vendor: Mitsubishi Electric Equipment: MELSEC-Q Series CPU module Vulnerability: Improper Handling of Length Parameter Inconsistency 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial of service (DoS). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC-Q Series CPU modules are affected: MELSEC-Q Series Q03UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q04UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q06UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q13UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q26UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q04UDPVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q06UDPVCPU: The first 5 digits of serial No...

Big companies are getting smaller, and their CEOs want everyone to know it. Wells Fargo has cut its workforce by 23% over five years, Bank of America has shed 88,000 employees since 2010, and Verizon's CEO recently boasted that headcount is "going down all the time." What was once a sign of corporate distress has become a badge of honor, with executives celebrating lean operations and AI-driven

Cybersecurity researchers have disclosed details of a new botnet that customers can rent access to conduct distributed denial-of-service (DDoS) attacks against targets of interest. The ShadowV2 botnet, according to Darktrace, predominantly targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers to deploy a Go-based malware that turns infected systems into attack nodes

Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to add a note to an order in a different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.

Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via the REST APIs.

In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit events.

Stellantis, parent of Jeep, Chrysler, Dodge and FIAT, confirms data breach through third-party vendor. Contact info exposed, financial data not affected.

### Summary Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. ### Details Many people who run DNN sites have a number of installed themes that they do not actually use. This could be because they were testing many themes during initial setup, because they have changed themes over time, or because they have development and production versions of a theme. Whatever the reason, many times the unused themes will become outdated over time as site admins wouldn't have reason to update something that is not used. However, this could introduce an entry point to exploit a vulnerable theme by making the server run the unused theme for unsuspecting client requests. Depending on the vulnerability in a theme, this could lead to server side or client side arbitrary code execution. With DNN 10.1.0 this functionality is now disabled by...