#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 Vendor: Mitsubishi Electric Equipment: MELIPC , MELSEC iQ-R, and MELSEC Q Series Vulnerabilities: Processor Optimization Removal or Modification of Security-Critical Code, Observable Discrepancy 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a malicious attacker to disclose information in the affected products. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected. For the correspondence table of the affected products and each vulnerability, refer to Mitsubishi Electric's security bulletin. MELIPC MI5122-VW: All Versions MELIPC MI2012-W: All Versions MELIPC MI1002-W: All Versions MELIPC MI3321G-W: All Versions MELIPC MI3315G-W: All Versions MELSEC iQ-R R102WCPU-W: All Versions MELSEC Q Q24DHCCPU-V: All Versions MELSEC Q Q24DHCCPU-VG: All Versions MELSEC Q Q24DHCCPU-LS: All Versions MELSEC Q Q26DHCCPU-LS: All Versions 3.2 Vu...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: ControlByWeb Equipment: X-332 and X-301 Vulnerability: Cross-Site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an authenticated attacker to run malicious code during a user's session. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ControlByWeb Relay are affected: X-332-24I: Firmware 1.06 X-301-I: Firmware 1.15 X-301-24I: Firmware 1.15 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session. CVE-2023-6333 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Sierra Wireless Equipment: AirLink Vulnerabilities: Infinite Loop, NULL Pointer Dereference, Cross-site Scripting, Reachable Assertion, Use of Hard-coded Credentials, Use of Hard-coded Cryptographic Key 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution to take full control of the device, steal credentials through a cross site scripting attack, or crash the device being accessed through a denial-of-service attack. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Sierra Wireless AirLink router with ALEOS firmware are affected: AirLink ALEOS firmware: All versions prior to 4.9.9 AirLink ALEOS firmware: All versions prior to 4.17.0 3.2 Vulnerability Overview 3.2.1 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 4.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schweitzer Engineering Laboratories Equipment: SEL-411L Vulnerability: Improper Restriction of Rendered UI Layers or Frames 2. RISK EVALUATION Successful exploitation of this vulnerability could expose authorized users to clickjacking attacks. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of the Schweitzer Engineering Laboratories SEL-411L are affected: R118: V0 - V4 R119: V0 - V5 R120: V0 - V6 R121: V0 - V3 R122: V0 - V3 R123: V0 - V3 R124: V0 - V3 R125: V0 - V3 R126: V0 - V4 R127: V0 - V2 R128: V0 - V1 R129: V0 - V1 3.2 Vulnerability Overview 3.2.1 IMPROPER RESTRICTION OF RENDERED UI LAYERS OR FRAMES CWE-1021 An Improper Restriction of Rendered UI Layers or Frames in the Schweitzer Engineering Laboratories SEL-411L could allow an unauthenticated attacker to perform clickjacking-based attacks against an authenticated and authorized user. CVE-2023-2265 has been a...

Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery 12 Step Meeting List.This issue affects 12 Step Meeting List: from n/a through 3.14.24.

Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4.

Server-Side Request Forgery (SSRF) vulnerability in Paytm Paytm Payment Gateway.This issue affects Paytm Payment Gateway: from n/a through 2.7.0.

Server-Side Request Forgery (SSRF) vulnerability in Softaculous Team SpeedyCache – Cache, Optimization, Performance.This issue affects SpeedyCache – Cache, Optimization, Performance: from n/a through 1.1.2.

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden. "Push notifications are alerts sent by phone apps to users' smartphones," Wyden said. "These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of

A cross-site-scripting vulnerability exists in Ruckus Access Point products (ZoneDirector, SmartZone, and AP Solo). If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see the information provided by the vendor listed under [References] section or the list under [Product Status] section.