#windows

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

Red Hat Security Advisory 2023-4885-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a privilege escalation vulnerability.

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

InterPhoto version 2.3.0 suffers from a remote shell upload vulnerability.

Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at

1. EXECUTIVE SUMMARY ​CVSS v3 7.8 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: PTC ​Equipment: Kepware KepServerEX ​Vulnerabilities: Uncontrolled Search Path Element, Improper Input Validation, Insufficiently Protected Credentials 2. RISK EVALUATION ​Successful exploitation of these vulnerabilities could allow an attacker to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​The following versions of Kepware KepServerEX, an industrial automation control platform, are affected: ​Kepware KepServerEX: version 6.14.263.0 and prior ​ThingWorx Kepware Server: version 6.14.263.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427 ​The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful...

1. EXECUTIVE SUMMARY ​CVSS v3 9.0 ​ATTENTION: Exploitable remotely ​Vendor: Digi International, Inc. ​Equipment: Digi RealPort Protocol ​Vulnerability: Use of Password Hash Instead of Password for Authentication 2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow the attacker to access connected equipment. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​Digi International reports that the following products using Digi RealPort Protocol are affected: ​Digi RealPort for Windows: version 4.8.488.0 and earlier ​Digi RealPort for Linux: version 1.9-40 and earlier ​Digi ConnectPort TS 8/16: versions prior to 2.26.2.4 ​Digi Passport Console Server: all versions ​Digi ConnectPort LTS 8/16/32: versions prior to 1.4.9 ​Digi CM Console Server: all versions ​Digi PortServer TS: all versions ​Digi PortServer TS MEI: all versions ​Digi PortServer TS MEI Hardened: all versions ​Digi PortServer TS M MEI: all versions ​Digi PortServer TS P MEI: all versions ​Digi One IAP Family: a...

Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.