#web

Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.

### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki query validator does not sanitize functions that would be used in a simple `select` and Hibernate allows using any native function in an HQL query. ### Patches This has been patched in 16.10.2, 16.4.7 and 15.10.16. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22734 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

The undocumented migrant community in the United States is using social networks and other digital platforms to send alerts about raids and the presence of immigration agents around the US.

AI is changing everything — from how we code, to how we sell, to how we secure. But while most conversations focus on what AI can do, this one focuses on what AI can break — if you’re not paying attention. Behind every AI agent, chatbot, or automation script lies a growing number of non-human identities — API keys, service accounts, OAuth tokens — silently operating in the background. And here’s

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE and RUGGEDCOM Vulnerabilities: Incorrect Authorization, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to circumvent authorization checks and perform actions that exceed the permissions of the "guest" role. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens RUGGEDCOM RST2428P (6GK6242-6PA00): All versions prior to V3.2 Siemens SCALANCE XCM324 (6GK5324-8TS...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE and RUGGEDCOM Vulnerability: Improper Privilege Management 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform actions that exceed the permissions of the "guest" role. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens RUGGEDCOM RST2428P (6GK6242-6PA00): All versions prior to V3.1 Siemens SCALANCE XCM324 (6GK5324-8TS01-2AC2): All versions prior to V3.1 Siemens SCALANCE XCM328 (6GK5328-4TS01-2AC2): All versions prior to V3.1 Siemens SCALANCE X...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM APE1808 Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens RUGGEDCOM APE1808: All versions with Palo Alto Networks Virtual NGFW with an enabled GlobalProtect gateway or portal 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALI...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Tecnomatix Plant Simulation Vulnerability: Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Tecnomatix Plant Simulation V2404: All versions prior to V2404.0013 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125 The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted WRL files. This coul...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Energy Services Vulnerability: Incorrect Default Permissions 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain remote control of the G5DFR component and tamper outputs from the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Energy Services: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276 Affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of G5DFR component and...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC S7-1500 CPU family Vulnerabilities: Missing Encryption of Sensitive Data, Out-of-bounds Read, Use After Free, Stack-based Buffer Overflow, Incorrect Provision of Specified Functionality, Out-of-bounds Write, Incorrect Calculation of Buffer Size, Heap-based Buffer Overflow, External Control of File Name or Path, Uncontrolled Resource Consumption, Improper Input Validation, Truncation of Security-relevant Information, Missing Critical Step in Authentication, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), ...