#web

Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low Attack Complexity Vendor: Siemens Equipment: Solid Edge Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to crash the application or execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Solid Edge SE2024: All versions < V224.0 Update 14 Siemens Solid Edge SE2025: All versions < V225.0 Update 6 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected applications contain an out of bounds write vulnerability while parsing specia...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: ArmorStart AOP Vulnerability: Uncaught Exception 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Rockwell Automation products are affected: ArmorStart AOP: Version V2.05.07 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Uncaught Exception CWE-248 A security issue exists within the Studio 5000 Logix Designer add-on profile (AOP) for the ArmorStart Classic distributed motor controller, resulting in a denial-of-service. This vulnerability is possible due to the input of invalid values into Component Object Model (COM) methods. CVE-2025-9437 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). A CVS...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC ET 200SP Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to access the configuration data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0): vers:intdot/<2.4.24 Siemens SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0): vers:intdot/<2.4.24 Siemens SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0): vers:intdot/<2.4.24 Siemens SIPLUS ET 200SP...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Low attack complexity Vendor: Siemens Equipment: SiPass integrated Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Cross-site Scripting, Authorization Bypass Through User-Controlled Key, Storing Passwords in a Recoverable Format 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to gain unauthorized access to user accounts, manipulate data, impersonate users, or execute arbitrary code on the SiPass integrated server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: SiP...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: MACH GWS Vulnerabilities: Incorrect Default Permissions, Improper Validation of Integrity Check Value, Improper Certificate Validation 2. RISK EVALUATION Exploiting these vulnerabilities could allow an attacker to tamper with system files, cause a denial of service, or perform a remote man-in-the-middle attack. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of MACH GWS affected: MACH GWS: Versions 3.0.0.0 to 3.4.0.0 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276 A vulnerability exists in MACH GWS product, which if exploited, could allow a local unauthenticated attacker to tamper a system file resulting in a denial of notify service. CVE-2025-39201 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). A CVSS v4 sco...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: HyperLynx and Industrial Edge App Publisher Vulnerability: Access of Resource Using Incompatible Type ('Type Confusion') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to perform arbitrary code execution via a crafted HTML page. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens HyperLynx: vers:all/* Siemens Industrial Edge App Publisher: vers:intdot/<1.23.5 3.2 VULNERABILITY OVERVIEW 3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION')...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: TeleControl Server Basic Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to obtain password hashes of users and to login to and perform authenticated operations of the database service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: TeleControl Server Basic V3.1: Version V3.1.2.2 and up to but not including V3.1.2.3 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITI...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk Linx Vulnerabilities: Privilege Chaining 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow full access to all files, processes, and system resources. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the following versions of the FactoryTalk Linx control system data communications platform are affected: FactoryTalk Linx: Versions 6.40 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 PRIVILEGE CHAINING CWE-268 A security issue exists within the x86 Microsoft Installer File (MSI), which is installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, which provides full access to all files, processes, and system resources. CVE-2025-9067 has been assig...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SINEC NMS Vulnerability: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an authenticated low privileged attacker to insert malicious data and achieve privilege escalation. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: SINEC NMS: Versions prior to V4.0 SP1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89 Affected a...