Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-55662	[org.xwiki.platform:xwiki-platform-repository-server-ui] XWiki allows remote code execution through the extension sheet Description: Impact On instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. In order to reproduce on an instance, as a normal user without script nor programming rights, go to your profile and add an object of type ExtensionCode.ExtensionClass. Set the description to {{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}} and press Save and View. If the description displays as Hello from Description without any error, then the instance is vulnerable. Patches This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Workarounds Since Extension Repository Application is not mandatory, it can be safely disabled on instances that do not use it. It is also possible to manually apply this patch to the page ExtensionCode.ExtensionSheet, as well as this patch to the page ExtensionCode.ExtensionAuthorsDisplayer. References https://jira.xwiki.org/browse/XWIKI-21890 https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 For more information If you have any questions or comments about this advisory: Open an issue in Jira XWiki.org Email us at Security Mailing List References https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5 https://nvd.nist.gov/vuln/detail/CVE-2024-55662 https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 https://jira.xwiki.org/browse/XWIKI-21890 https://github.com/advisori... EPSS Score: 0.05% Source: Github Advisory Database (Maven) December 12th, 2024 (5 months ago)
	Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat Description: The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help. Source: Dark Reading December 12th, 2024 (5 months ago)
	Cleo patches critical zero-day exploited in data theft attacks Description: Cleo has released security updates for a zero-day flaw in its LexiCom, VLTransfer, and Harmony software, currently exploited in data theft attacks. [...] Source: BleepingComputer December 12th, 2024 (5 months ago)
	Spain busts voice phishing ring for defrauding 10,000 bank customers Description: The Spanish police, working with colleagues in Peru, conducted a simultaneous crackdown on a large-scale voice phishing (vishing) scam ring in the two countries, arresting 83 individuals. [...] Source: BleepingComputer December 12th, 2024 (5 months ago)
	Bitcoin ATM firm Byte Federal hacked via GitLab flaw, 58K users exposed Description: US Bitcoin ATM operator Byte Federal has disclosed a data breach that exposed the data of 58,000 customers after its systems were breached using a GitLab vulnerability. [...] Source: BleepingComputer December 12th, 2024 (5 months ago)
CVE-2024-54093	Siemens Solid Edge SE2024 Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services \| Services \| Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge SE2024 Vulnerabilities: Heap-based Buffer Overflow, Integer Underflow (Wrap or Wraparound) 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens Solid Edge SE2024 are affected: Solid Edge SE2024: All versions prior to V224.0 3.2 Vulnerability Overview 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted ASM files. This could allow an attacker to execute code in the context of the current process. CVE-2024-54093 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-54093. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122 The a... EPSS Score: 0.05% Source: All CISA Advisories December 12th, 2024 (5 months ago)
CVE-2024-53832	Siemens CPCI85 Central Processing/Communication Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services \| Services \| Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.1 ATTENTION: Low attack complexity Vendor: Siemens Equipment: CPCI85 Central Processing/Communication Vulnerability: Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with physical access to the device to decrypt the firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens CPCI85 Central Processing/Communication: All versions prior to V05.30 3.2 Vulnerability Overview 3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication and use the secure element as an oracle to decrypt all encrypted update files. CVE-2024-53832 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2024-53832. A base score of 5.1 has been cal... EPSS Score: 0.05% Source: All CISA Advisories December 12th, 2024 (5 months ago)
CVE-2024-6657	Siemens SENTRON Powercenter 1000 Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services \| Services \| Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.9 ATTENTION: Exploitable from adjacent network Vendor: Siemens Equipment: SENTRON Powercenter 1000 Vulnerability: Incorrect Synchronization 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: SENTRON Powercenter 1000 (7KN1110-0MC00): All versions SENTRON Powercenter 1100 (7KN1111-0MC00): All versions 3.2 Vulnerability Overview 3.2.1 INCORRECT SYNCHRONIZATION CWE-821 A denial of service condition can only be triggered during BLE pairing. This occurs only in a limited time window of three minutes after any device restart requiring physical access. A reset of the power supply is necessary for device recovery. CVE-2024-6657 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-6657. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/... Source: All CISA Advisories December 12th, 2024 (5 months ago)
CVE-2024-41981	Siemens Simcenter Femap Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services \| Services \| Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low Attack Complexity Vendor: Siemens Equipment: Simcenter Femap Vulnerabilities: Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Simcenter Femap V2306: All versions Simcenter Femap V2401: All versions Simcenter Femap V2406: All versions 3.2 Vulnerability Overview 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted BDF files. This could allow an attacker to execute code in the context of the current process. CVE-2024-41981 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-41981. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV... EPSS Score: 0.04% Source: All CISA Advisories December 12th, 2024 (5 months ago)
CVE-2024-54091	Siemens Parasolid Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services \| Services \| Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Parasolid Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Parasolid V36.1: Versions prior to V36.1.225 Parasolid V37.0: Versions prior to V37.0.173 Parasolid V37.1: Versions prior to V37.1.109 3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected applications contain an out-of-bounds write vulnerability when parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. CVE-2024-54091 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-54091. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.3 BACKGROUND ... EPSS Score: 0.04% Source: All CISA Advisories December 12th, 2024 (5 months ago)