#vulnerability

**Summary / Details** Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges. **Affected Versions** - Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 - versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x. **Required Configuration for Exploit** These are the conditions required to enable exploit: 1. Cassandra 4.x 2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use 3. Data added to tables 4. Lucene index created 5. Cassandra flush has run **Mitigation/Prevention** Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possibl...

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

The ABB Cylon FLXeon BACnet controller suffers from insecure CORS configuration. Allowing all origins (app.options('*', cors()); can expose the API to data leaks, resource abuse, and potential XSS attacks.

User sessions on ABB Cylon FLXeon controllers remain active for up to seven days, even after a client-side logout. Clicking "Log Out" does not properly revoke the session on the server, allowing attackers with access to stolen session tokens to maintain unauthorized access. This increases the risk of session hijacking and privilege abuse.

The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

An authenticated attacker can access sensitive information via the system logs page of ABB Cylon FLXeon controllers. The logs expose critical data, including the OpenSSL password for stored certificates. This information can be leveraged for further attacks, such as decrypting encrypted communications, impersonation, or gaining deeper system access.

Super-admin access vulnerability discovered in FortiOS Security Fabric. Exploitation could lead to widespread network breaches. Update now. Fortinet has…

Ever felt like your team is stuck in a constant battle? Developers rush to add new features, while security folks worry about vulnerabilities. What if you could bring both sides together without sacrificing one for the other? We invite you to our upcoming webinar, "Opening the Fast Lane for Secure Deployments." This isn’t another tech talk full of buzzwords—it's a down-to-earth session that

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Teamcenter Vulnerability: URL Redirection to Untrusted Site ('Open Redirect') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Teamcenter: All versions prior to V14.3.0.0 3.2 VULNERABILITY OVERVIEW 3.2.1 URL REDIRECTION TO UNTRUSTED SITE ('OPEN REDIRECT') CWE-601 The SSO login service of affected applications accepts us...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: ORing Equipment: IAP-20 Vulnerabilities: Cross-site Scripting, Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to invoke commands to compromise the device via the management interface. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ORing products are affected: IAP-420: Versions 2.01e and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 A stored cross-site scripting can be triggered by placing JavaScript code into the SSID input field of the web interface. An attacker could exploit this vulnerability by luring an authenticated user to visit a malicious website. CVE-2024-5410 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV...