Tag
#web
### Summary A user on the website can modify any private field on their own state. ### Details An event meant to modify client side storage had access to modify any field on the state for the given user. This includes non-client side ones and most importantly private fields. This still requires the actor to guess the name for the private fields. ### Impact If one of the States in your app can be modified to allow the user into a different role or a different user this allows the actor to act as someone else or as admin.
Reddit Struggles After Google's New Focus on Expertise
### Summary Using a constructed (camera) device path with the `config/add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any UNIX shell code within a non-interactive shell as executing user of the motionEye instance, `motion` by default. #### function call stack 1. `post` 2. `add_camera` 3. `config.add_camera` 4. `v4l2ctl.list_resolutions` 5. `utils.call_subprocess` 6. `subprocess.run` ### PoC #### build ```sh RUN_USER="user" RUN_UID=$(id -u ${RUN_USER}) RUN_GID=$(id -g ${RUN_USER}) TIMESTAMP="$(date '+%Y%m%d-%H%M')" docker build \ --network host \ --build-arg="RUN_UID=${RUN_UID?}" \ --build-arg="RUN_GID=${RUN_GID?}" \ -t "${USER?}/motioneye:${TIMESTAMP}" \ --no-cache \ -f docker/Dockerfile . ``` #### reproduce Run: ```sh docker run --rm -d -p 8765:8765 --hostname="motioneye" -v /etc/localtime:/etc/localtime:ro -v /tmp/motioneyeconfig:/etc/motioneye -v /tmp/motioneyeconfig:/var/lib/motioneye ``` ```console ...
### Impact A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References. ### Patches The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are: - 2.6.9 - 2.5.25 - 3.0.0-alpha3 ### Workarounds Patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` in sulu with: ```diff -$dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD); +$dom->loadXML($data, LIBXML_NONET); ``` ### References - GitHub repository: https://github.com/sulu/sulu - Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
A new wave of attacks uses PowerShell and LNK files to secretly install Remcos RAT, enabling full remote…
### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. ### Patches This has been patched in https://github.com/nodejs/undici/pull/4088. ### Workarounds If a webhook fails, avoid keep calling it repeatedly. ### References Reported as: https://github.com/nodejs/undici/issues/3895
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Exploitable from adjacent network/low attack complexity Vendor: Siemens Equipment: SCALANCE LPE9403 Vulnerabilities: Incorrect Permission Assignment for Critical Resource, Path Traversal: '.../...//', Use of Uninitialized Variable, NULL Pointer Dereference, Out-of-bounds Read, Stack-based Buffer Overflow, Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of these vulnerabilities could affect the confidentiality, integrity, and availabil...
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: ECOVACS Equipment: DEEBOT Vacuum and Base Station Vulnerabilities: Use of Hard-coded Cryptographic Key, Download of Code Without Integrity Check 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to send malicious updates to the devices or execute code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ECOVACS reports the following DEEBOT vacuum and base station devices are affected: X1S PRO: Versions prior to 2.5.38 X1 PRO OMNI: Versions prior to 2.5.38 X1 OMNI: Versions prior to 2.4.45 X1 TURBO: Versions prior to 2.4.45 T10 Series: Versions prior to 1.11.0 T20 Series: Versions prior to 1.25.0 T30 Series: Versions prior to 1.100.0 3.2 VULNERABILITY OVERVIEW 3.2.1 Use of Hard-coded Cryptographic Key CWE-321 ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK. The key can be easily derived f...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.2 ATTENTION: Low Attack Complexity Vendor: Siemens Equipment: Teamcenter Visualization Vulnerability: Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Teamcenter Visualization V14.3: All versions prior to V14.3.0.14 Siemens Teamcenter Visualization V2312: All versions prior to V2312.0010 Siemens Teamcenter Visualization V2406: All versions prior to V2406.0008 Siemens Teamcenter Visualization V2412: All versions prior ...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIPROTEC and SICAM Vulnerability: Improper Enforcement of Message Integrity During Transmission in a Communication Channel 2. RISK EVALUATION Successful exploitation of this vulnerability could cause the network access server to grant the attacker access to the network with the attacker's desired authorization and without the need of knowing or guessing legitimate access credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports the following products using the RADIUS protocol are affected: CPC80 Central Processing/Communication: All versions...