#web

A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

By Owais Sultan India Blockchain Week (IBW), the country’s flagship series of blockchain and Web3 events held in Bangalore from Dec.4-10, is… This is a post from HackRead.com Read the original post: India Blockchain Week (IBW) Unveils Diverse Speaker Line-up

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: SpaceLogic C-Bus Toolkit Vulnerabilities: Improper Privilege Management, Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, which could result in tampering of the SpaceLogic C-Bus home automation system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric products are affected: SpaceLogic C-Bus Toolkit: Versions 1.16.3 and prior 3.2 Vulnerability Overview 3.2.1 Improper Privilege Management CWE-269 Schneider Electric's SpaceLogic C-Bus Toolkit product is vulnerable due to improper privilege management, which could cause remote code execution when the transfer command is used over the network. CVE-2023-5402 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Red Lion Equipment: FlexEdge Gateway, DA50A, DA70A running Crimson Vulnerability: Improper Neutralization of Null Byte or NUL Character 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to truncate passwords configured by the Crimson configuration tool which could create weaker than intended credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Red Lion products are affected: Crimson: v3.2.0053.18 or prior 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF NULL BYTE OR NUL CHARACTER CWE-158 The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered....

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.3 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Franklin Fueling System Equipment: TS-550 Vulnerability: Use of Password Hash with Insufficient Computational Effort 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access the device and gain unauthenticated access. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Franklin Fueling System TS-550, are affected: TS-550: All versions prior to 1.9.23.8960 3.2 Vulnerability Overview 3.2.1 USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916 Franklin Fueling System TS-550 versions prior to 1.9.23.8960 are vulnerable to attackers decoding admin credentials, resulting in unauthenticated access to the device. CVE-2023-5846 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). 3.3 BACK...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Weintek Equipment: EasyBuilder Pro Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain remote control of a victim's computer as a privileged user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Weintek products are affected: EasyBuilder Pro: Versions prior to v6.07.02 EasyBuilder Pro: Versions 6.08.01.592 and prior EasyBuilder Pro: Versions 6.08.02.470 and prior 3.2 Vulnerability Overview 3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798 The affected product contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server. CVE-2023-5777 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has bee...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC Series Vulnerability: Insufficient Verification of Data Authenticity 2. RISK EVALUATION Successful exploitation of this vulnerability may allow a remote attacker to reset the memory of the products to factory default state and cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports that the following versions of MELSEC-F series programmable controllers are affected if they are used with ethernet communication special adapter FX3U-ENET-ADP or ethernet communication block FX3U-ENET(-L) with the exception of "FX3GE-xMy/z x=24,40, y=T,R, z=ES,ESS,DS,DSS". Some of these products are sold in limited regions, see the Mitsubishi Electric advisory for details: MELSEC-F series FX3U-xMy/z x=16,32,48,64,80,128, y=T,R, z=ES,ESS,DS,DSS: All versions MELSEC-F series FX3U-32MR/UA1, FX3U-64MR/UA1: A...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Equipment: MELSEC iQ-F Series Vulnerability: Improper Restriction of Excessive Authentication Attempts 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to prevent legitimate users from logging into the web server function for a certain period, resulting in a denial-of-service condition. The impact of this vulnerability will persist while the attacker continues to attempt the attack. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Mitsubishi Electric MELSEC iQ-F Series products are affected (Products with * are sold in limited regions): FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 17X**** and later): All versions FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 179**** and prior): Versions 1.060 or later FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 17X**** and later): All versions FX5UC-xMy/z x=32,64,96...

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams.