#vulnerability

Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Low attack complexity Vendor: goTenna Equipment: Pro ATAK Plugin Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected: goTenna Pro ATAK Plugin: Versions 1.9.12 and prior 3.2 Vulnerability Overview 3.2.1 Weak Password Requirements CWE-521 The goTenna Pro ATAK Plugin uses a wea...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Atelmo Equipment: Atemio AM 520 HD Full HD Satellite Receiver Vulnerability: OS Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthorized attacker to execute system commands with elevated privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Atelmo Atemio AM 520 HD, a satellite receiver, are affected: Atemio AM 520 HD: TitanNit 2.01 and prior 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access. CVE-2024-9166 has been assigned to this vulnerability. A CVSS v3.1 base sco...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Advantech Equipment: ADAM-5630 Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user's session, perform cross-site request forgery, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Advantech's ADAM are affected: Advantech ADAM-5630: versions prior to v2.5.2 3.2 Vulnerability Overview 3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539 Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user. CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Low attack complexity Vendor: goTenna Equipment: Pro series Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of goTenna Pro series, mesh networking device, are affected: goTenna Pro App: versions 1.6.1 and prior 3.2 Vulnerability Overview 3.2.1 Weak Password Requirements CWE...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Low attack complexity Vendor: Advantech Equipment: ADAM-5550 Vulnerabilities: Weak Encoding for Password, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Advantech's ADAM, are affected: Advantech ADAM 5550: All versions 3.2 Vulnerability Overview 3.2.1 WEAK ENCODING FOR PASSWORD CWE-261 User credentials are shared with a low level of encryption, consisting of base 64 encoding. CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been c...

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don’t factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don’t have the time - or the budget - to

Mattermost does not strip `embeds` from `metadata` when broadcasting `posted` events. This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trigger a client Side Denial of Service (DoS) by sending a permalink with a non-string message. The advisory metadata references the appropriate go pseudo version available from pkg.go.dev

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials. When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.