#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Asset Suite Vulnerabilities: Server-Side Request Forgery (SSRF), Deserialization of Untrusted Data, Cleartext Storage of Sensitive Information, Uncontrolled Resource Consumption, URL Redirection to Untrusted Site ('Open Redirect'), Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to trigger resource consumption or information disclosure through SSRF in Apache XML Graphics Batik, mount a Denial-Of-Service attack via poisoned data in logback, discover cleartext passwords in H2 Database Engine, fill up the file system in Apache CXF, perform open redirect or SSRF attacks through UriComponentsBuilder, and execute arbitrary code in Apache ActiveMQ. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Asset Suite: Versions 9.6.4.5 and prior 3.2 VULN...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.2 ATTENTION: Exploitable remotely Vendor: Westermo Network Technologies Equipment: WeOS 5 Vulnerability: Improper Validation of Syntactic Correctness of Input 2. RISK EVALUATION Successful exploitation of this vulnerability could cause the device to reboot. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Westermo reports following versions of WeOS 5, an industrial network operating system, are affected: WeOS 5: Versions 5.23.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 When configured for IPSec, a Westermo device running WeOS 5 could be vulnerable to a denial-of-service attack. A specifically crafted ESP packet could trigger an immediate reboot of the device. CVE-2025-46419 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-202...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely Vendor: Westermo Network Technologies Equipment: WeOS 5 Vulnerability: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with administrative permissions to execute commands that would typically be inaccessible. This could allow the execution of commands with privileges beyond those normally granted to the attacker. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Westermo reports following versions of WeOS 5, an industrial network operating system, are affected: WeOS 5: Versions 5.24 and later 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEAUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 Westermo has identified a vulnerability in WeOS 5 that could potentially be used to inject OS commands due to unsafe handling of media definitions. CVE-2025-46418 has bee...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.8 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Saitel DR RTU Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary shell commands on the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Saitel DR RTU: Versions 11.06.29 and prior Schneider Electric Saitel DP RTU: Versions 11.06.33 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 An OS command injection vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session. CVE-2025-9996 has been assigned to this vulnerability. A CVSS v3.1 base sc...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Dover Fueling Solutions Equipment: ProGauge MagLink LX4, ProGauge MagLink LX4 Plus, ProGauge MagLink LX4 Ultimate Vulnerabilities: Integer Overflow or Wraparound, Use of Hard-coded Cryptographic Key, Use of Weak Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in a remote attacker causing a denial-of-service condition or gaining administrative access to the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected: ProGauge MagLink LX 4: Versions prior to 4.20.3 ProGauge MagLink LX Plus: Versions prior to 4.20.3 ProGauge MagLink LX Ultimate: Versions prior to 5.20.3 3.2 VULNERABILITY OVERVIEW 3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190 Affected devices fail to handle Unix time values beyond a certain point. An attacker can manually change the system time t...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Service Suite Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to compromise Oracle WebLogic Server, resulting in potential impacts on confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Service Suite: Versions prior to 9.6.0.4 EP4 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVE-2020-2883 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N...

Hackers are posing as Empire podcast hosts, tricking crypto influencers and developers with fake interview invites to deliver macOS AMOS Stealer malware.

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. "SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said. "SilentSync also extracts

Scammers are now using “SMS blasters” to send out up to 100,000 texts per hour to phones that are tricked into thinking the devices are cell towers. Your wireless carrier is powerless to stop them.

Google has issued a Chrome update to fix four high priority flaws including one zero-day, zero-click vulnerability.