#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Westermo Equipment: Lynx 206-F2G Vulnerabilities: Cross-site Scripting, Code Injection, Cross-Origin Resource Sharing, Cleartext Transmission of Sensitive Information, Cross-Site Request Forgery 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access the web application, inject arbitrary code, execute malicious code, obtain sensitive information, or execute a malicious request. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Lynx 206-F2G, a layer three industrial Ethernet switch, are affected: Lynx: Model Version L206-F2G1 Lynx: Firmware Version 4.24. 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site sc...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.7 ATTENTION: Low attack complexity Vendor: Lantronix Equipment: XPort Vulnerability: Weak Encoding for Password 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of XPort, a device server configuration manager, are affected: XPort Device Server Configuration Manager: Version 2.0.0.13 3.2 Vulnerability Overview 3.2.1 Weak Encoding for Password CWE-261 Lantronix XPort sends weakly encoded credentials within web request headers. CVE-2023-7237 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Healthcare, Transportation COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Aarón Flecha Menéndez of S2...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Low attack complexity Vendor: Crestron Equipment: AM-300 Vulnerability: OS Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to escalate their privileges to root-level access. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Crestron AirMedia Presentation System products are affected: AM-300: Version 1.4499.00018 3.2 Vulnerability Overview 3.2.1 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access. CVE-2023-6926 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNT...

Conor Brian Fitzpatrick has been sentenced to time served and 20 years of supervised release for his role as the creator and administrator of BreachForums. Fitzpatrick, who went by the online alias "pompompurin," was arrested in March 2023 in New York and was subsequently charged with conspiracy to commit access device fraud and possession of child pornography. He was later released on a $

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild. The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem

Apple’s iOS 17.3 introduces Stolen Device Protection to iPhones, which could stop phone thieves from taking over your accounts. Here’s how to enable it right now.

By Owais Sultan One of the most needed functions in the CS console has always been a command that allows you… This is a post from HackRead.com Read the original post: Bind For Cleaning Blood And Bullet Marks In Counter-Strike 2

By Deeba Ahmed The latest Chae$ 4.1 sends a direct message to the cybersecurity researchers at Morphisec within the source code. This is a post from HackRead.com Read the original post: The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads

By Owais Sultan Deloitte Partners with Memcyco to Combat ATO and Other Online Attacks with Real-Time Digital Impersonation Protection Solutions. This is a post from HackRead.com Read the original post: Deloitte Teams Up with Memcyco for Real-Time Digital Impersonation Protection

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.