Tag
#vulnerability
### Details Persistent XSS vulnerability in image link handling of PHP-Textile versions 4.1.2 and older, when running the parser in restricted mode. In restricted mode it is expected that the input would be sanitized, allowing user-input (such as user comments) to be parsed and handled safely by the PHP-Textile library. In restricted mode, the version 4.1.2 of the library does not sanitize or validate user-controllable href input in image links, but allows any link protocol or JavaScriptt links to be used. The vulnerability allows an attacker to add malicious JavaScript code to the page which is then executed when an unexpecting user clicks the link. In non-restricted mode, the library allows mixed HTML input, and any link protocol by design. In restricted mode, text links were already handled correctly and the vulnerability only affects image links. ### Resolution This issue was fixed in PHP-Textile version 4.1.3. Version 4.1.3 disallows use of JavaScript in image links when the ...
### Impact Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website. ### Patches The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The [docker images](https://hub.docker.com/r/wgportal/wg-portal) for the tag 'latest' built from the master branch also include the fix.
Cybersecurity researchers have uncovered firmware security vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument that, if successfully exploited, could permit attackers to brick or plant persistent malware on susceptible devices. "The Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM [Compatibility Support Mode] mode and without Secure Boot or standard
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of Special Elements in Data Query Logic, Allocation of Resources Without Limits or Throttling, Weak Password Requirements, Cross-Site Request Forgery (CSRF), Use of Weak Hash, Code Injection, PHP Remote File Inclusion, External Control of System or Configuration Setting, Insufficiently Protected Credentials, Unrestricted Upload of File with Dangerous Type, Absolute Path Traversal, Use of Default Credentials, Off-by-one Error, Use of Default Password, Session Fixation 2. RISK EVALUATION Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been ...
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Nedap Librix Equipment: Ecoreader Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could result in remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Ecoreader are affected: Ecoreader: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The affected product is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code. CVE-2024-12757 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). A CVSS v4 score has also been calculated for CVE-2024-12757. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/S...
The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of…
Taiwan-based Moxa has warned of two security vulnerabilities impacting its cellular routers, secure routers, and network security appliances that could allow privilege escalation and command execution. The list of vulnerabilities is as follows - CVE-2024-9138 (CVSS 4.0 score: 8.6) - A hard-coded credentials vulnerability that could allow an authenticated user to escalate privileges and gain
The deal adds Phylum's technology for malicious package analysis, detection, and mitigation to Veracode's software composition analysis portfolio.
The ABB BMS/BAS controller suffers from an SQL injection through the key and user parameters. These inputs are not properly sanitized and do not utilize stored procedures, allowing attackers to manipulate SQL queries and potentially gain unauthorized access to the database or execute arbitrary SQL commands.
The ABB BMS/BAS controller suffers from a weak password policy, allowing users to set overly simplistic or blank passwords and usernames without restrictions. This vulnerability significantly reduces account security, enabling attackers to exploit weak credentials for unauthorized access to the system.