VARIoT IoT vulnerabilities database

HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to cause a denial of service (application crash) by sending crafted data over TCP. Miniweb has a security vulnerability that allows an attacker to submit a specially crafted HTTP POST request to allow the server to access any illegal memory area while checking the extension of the requested file. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. HmiLoad provides functions that read data and unicode strings with stack-based buffer overflows, allowing an attacker to exploit a vulnerability to execute arbitrary code. Siemens SIMATIC is an automation software in a single engineering environment. A security vulnerability exists in the Siemens SIMATIC WinCC HMI web server. When the transfer mode is enabled, the runtime loader listens on the 2308/TCP or 50523/TCP port. Since the incoming data is not fully verified, there are multiple denial of service attacks that can crash the program. A directory traversal vulnerability exists in the HmiLoad server that allows reading, writing, and deleting arbitrary files outside of the specified directory. Attackers can exploit these issues to execute arbitrary code in the context of the affected application, read/write or delete arbitrary files outside of the server root directory, or cause denial-of-service conditions; other attacks may also be possible

The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie. plural Siemens Product HMI Web The server Cookie There is a vulnerability that prevents authentication because it generates a predictable authentication token.Skillfully crafted by a third party Cookie Authentication may be bypassed. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. Multiple Siemens SIMATIC products have security vulnerabilities, and the insecure generation of authentication tokens (session COOKIE guesses) allows an attacker to bypass authentication checks and increase privileges without a username and password. An attacker can exploit these issues to bypass intended security restrictions and gain access to the affected application. Successfully exploiting these issues may lead to further attacks. The Siemens SIMATIC HMI product family is used as the human-machine interface between the corresponding PLC and the operator

The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime has an improperly selected default password for the administrator account, which makes it easier for remote attackers to obtain access via a brute-force approach involving many HTTP requests. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. The default management password exists for multiple Siemens SIMATIC products. The default account password for the WEB interface is \"Administrator: 100\", and the password \"100\" can also be used for the VNC service. If the user changes the password containing special characters, the system will put the password. Reset to \"100\". The following products are affected by this vulnerability: SIMATIC WinCC Flexible 2004 through 2008 SP2SIMATIC WinCC V11, V11 SP1, and V11 SP2 SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels Successful exploits allow an attacker to log in with user or administrator privileges Affect the system. An attacker can exploit these issues to bypass intended security restrictions and gain access to the affected application. Successfully exploiting these issues may lead to further attacks. The Siemens SIMATIC HMI product family is used as the human-machine interface between the corresponding PLC and the operator

The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Allen-Bradley FactoryTalk CPR9 through SR5 and RSLogix 5000 17 through 20 does not properly handle the return value from an unspecified function, which allows remote attackers to cause a denial of service (service outage) via a crafted packet. Rockwell Automation is a provider of industrial automation, control and information technology solutions. Rockwell Automation FactoryTalk Activation Server RNADiagReceiver has errors in processing packets. Submitting a packet containing more than 2000 bytes to UDP port 4445 can result in no subsequent connections. An attacker can exploit these issues to crash the affected application, denying service to legitimate users

The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Allen-Bradley FactoryTalk CPR9 through SR5 and RSLogix 5000 17 through 20 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted packet. Rockwell Automation is a provider of industrial automation, control and information technology solutions. Rockwell Automation FactoryTalk Activation Server RNADiagReceiver has errors in processing packets. Submitting a packet containing more than 2000 bytes to UDP port 4445 can result in no subsequent connections. An attacker can exploit these issues to crash the affected application, denying service to legitimate users

Multiple buffer overflows in Schneider Electric Modicon Quantum PLC allow remote attackers to cause a denial of service via malformed requests to the (1) FTP server or (2) HTTP server. Schneider Electric Modicon Quantum is an automated control platform with a full range of complete processors for complex process control and infrastructure. (2) There is a backdoor account that allows access to the system with user or administrator privileges. (5) There is also a cross-site scripting attack. Schneider Electric Modicon Quantum is prone to multiple vulnerabilities including: 1. A remote code-execution vulnerability. 2. Multiple buffer-overflow vulnerabilities. 3. A security-bypass vulnerability. 4. A cross site-scripting vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the affected application, cause denial-of-service conditions, bypass some security restrictions, allow an attacker to steal cookie-based information, or execute script code in the context of the browser of an unsuspecting user; other attacks may also be possible. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Modicon Quantum Cross-Site Scripting and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA47723 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47723/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47723 RELEASE DATE: 2012-01-23 DISCUSS ADVISORY: http://secunia.com/advisories/47723/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47723/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47723 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Schneider Electric Modicon Quantum Series Modules, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). 1) Certain unspecified input is not properly sanitised before being returned to the user. SOLUTION: Filter malicious characters and character sequences in a proxy. Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Ruben Santamarta via Digital Bond\x92s SCADA Security Scientific Symposium (S4). ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-03.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the VSFlex7.VSFlexGrid ActiveX control in ComponentOne FlexGrid 7.1, as used in Open Automation Software OPC Systems.NET, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long archive file name argument to the Archive method. OPC Systems.NET is a .NET product for SCADA, HMI. ComponentOne FlexGrid ActiveX Control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. ComponentOne FlexGrid 7.1 is vulnerable; other versions may also be affected

Toshiba e-STUDIO is an all-in-one machine from Toshiba. Password information can be obtained from the HTML source code of various configuration pages, such as: http://IP Address/TopAccess/Administrator/Setup/ScanToFile/List.htm<td nowrap\">\"> Password <input ID=\342\200\235Password3\342\200\262\342\200\262 type = \"password\" value=\342\200\235Password1\342\200\235 onfocus=\342\200\235 if (this.disable) this.blur();\342\200\235 maxlength=\342\200\23532\342\200\235 Use these password information to access the file server, LDAP system, etc. Toshiba e-Studio Devices is prone to an information-disclosure vulnerability that exposes sensitive information. Successful exploits will allow unauthenticated attackers to obtain sensitive information from the device, such as an administrative password, which may aid in further attacks

Directory traversal vulnerability in the PXE Mtftp service in Hitachi JP1/ServerConductor/DeploymentManager before 08-55 Japanese and before 08-51 English allows remote attackers to read arbitrary files via unknown vectors. A security vulnerability exists in Hitachi JP1/ServerConductor/DeploymentManager that allows malicious users to obtain sensitive information. The DeploymentManager PXE Mtftp service has an input validation error. Hitachi JP1/ServerConductor/DeploymentManager is prone to a directory-traversal vulnerability. Other attacks may also be possible. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/ServerConductor/DeploymentManager Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA47221 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47221/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47221 RELEASE DATE: 2011-12-15 DISCUSS ADVISORY: http://secunia.com/advisories/47221/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47221/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47221 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Hitachi JP1/ServerConductor/DeploymentManager, which can be exploited by malicious people to disclose sensitive information. SOLUTION: Please see the vendor's advisory for fix information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (HS11-026): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-026/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trendnet TV-IP422W, iPUX ICS1033, Digicom IP CAMERA 100W are IP camera products. These products include an undocumented account \"productmaker\" that uses the default password, which allows an attacker to access the WEB or Telnet interface and command injection attacks. Multiple IP cameras are prone to an unauthorized access vulnerability. Successful exploits will allow a remote attacker to gain unauthorized access to the affected device

D-Link ShareCenter is a network storage device. D-Link ShareCenter does not perform proper verification check on accessing existing CGI scripts (/cgi directory). Attackers can access the following resources to obtain the device model and firmware version: http://<device IP address>/cgi-bin/ Discovery.cgihttp://<device IP address>/cgi-bin/system_mgr.cgi?cmd=get_firm_v_xml Another undocumented feature allows arbitrary commands to be executed, such as: http://<device IP address>/cgi-bin/system_mgr .cgi?cmd=cgi_sms_test. D-Link ShareCenter products are prone to multiple remote code-execution vulnerabilities. Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. The following products are affected: D-Link DNS-320 ShareCenter D-Link DNS-325 ShareCenter

The SEL-2032 Communications Processor is a communications processor used by Schneider. The SEL-2032 Communications Processor SCADA remote terminal unit uses the plain text protocol for password verification. In addition, the attacker can crash the service program through telnet and port 1024/TCP. An attacker could exploit a vulnerability to perform a denial of service attack on a service or obtain sensitive information to bypass security restrictions. SEL-2032 Communications Processor is prone to a denial-of-service vulnerability and a security-bypass vulnerability. Attackers can exploit these issues to perform denial-of-service attacks or gain unauthorized access to the affected device. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: SEL-2032 Communications Processor Denial of Service Vulnerability SECUNIA ADVISORY ID: SA47739 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47739/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47739 RELEASE DATE: 2012-01-23 DISCUSS ADVISORY: http://secunia.com/advisories/47739/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47739/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47739 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in SEL-2032 Communications Processor, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when processing certain packets and can be exploited to crash the device. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dillon Beresford via Digital Bond\x92s SCADA Security Scientific Symposium (S4). ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-04.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgroups.php and (2) usergrps.php, the update action to (3) hosts.php and (4) scripts.php, and (5) maintenance.php. Zabbix is a CS network distributed network monitoring system. The gname variable is not properly filtered when creating users and host groups. The following URL can cause persistent XSS attacks: URL: hostgroups.php usergrps.php Affected Parameters: gname Method: POST Injection: \"</options><script>alert( 'XSS')</script> Persists in: http://test/zabbix/hostgroups.php http://test/zabbix/users.php http://test/zabbix/hosts.php?form=update. ZABBIX is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user. Other attacks are also possible. ZABBIX 1.8.5 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Zabbix Two Script Insertion Vulnerabilities SECUNIA ADVISORY ID: SA47216 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47216/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47216 RELEASE DATE: 2011-12-16 DISCUSS ADVISORY: http://secunia.com/advisories/47216/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47216/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47216 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Zabbix, which can be exploited by malicious users to conduct script insertion attacks. Successful exploitation of this vulnerability requires access rights to modify "host group" names. 2) Certain unspecified input to the profiler is not properly sanitised before being used. The vulnerabilities are reported in version 1.8.5. SOLUTION: Fixed in version 1.8.10rc. PROVIDED AND/OR DISCOVERED BY: 1) Martina Matari within a Zabbix bug report. 2) Reported by the vendor. ORIGINAL ADVISORY: Zabbix: http://www.zabbix.com/rn1.8.10rc1.php https://support.zabbix.com/browse/ZBX-4015 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in ZABBIX before 1.8.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the profiler. Zabbix is a CS network distributed network monitoring system. The gname variable is not properly filtered when creating users and host groups. The following URL can cause persistent XSS attacks: URL: hostgroups.php usergrps.php Affected Parameters: gname Method: POST Injection: \"</options><script>alert( 'XSS')</script> Persists in: http://test/zabbix/hostgroups.php http://test/zabbix/users.php http://test/zabbix/hosts.php?form=update. ZABBIX is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user. Other attacks are also possible. ZABBIX 1.8.5 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Zabbix Two Script Insertion Vulnerabilities SECUNIA ADVISORY ID: SA47216 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47216/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47216 RELEASE DATE: 2011-12-16 DISCUSS ADVISORY: http://secunia.com/advisories/47216/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47216/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47216 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Zabbix, which can be exploited by malicious users to conduct script insertion attacks. Successful exploitation of this vulnerability requires access rights to modify "host group" names. 2) Certain unspecified input to the profiler is not properly sanitised before being used. The vulnerabilities are reported in version 1.8.5. SOLUTION: Fixed in version 1.8.10rc. PROVIDED AND/OR DISCOVERED BY: 1) Martina Matari within a Zabbix bug report. 2) Reported by the vendor. ORIGINAL ADVISORY: Zabbix: http://www.zabbix.com/rn1.8.10rc1.php https://support.zabbix.com/browse/ZBX-4015 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the Steema TeeChart ActiveX control, as used in Schneider Electric Vijeo Historian 4.30 and earlier, CitectHistorian 4.30 and earlier, and CitectSCADAReports 4.10 and earlier, allows remote attackers to cause a denial of service via unspecified vectors. TeeChart Pro ActiveX is a full-featured graphical charting tool for business, science, engineering and statistics. TeeChart ActiveX control is prone to a remote denial-of-service vulnerability because of a buffer-overflow error. Attackers can exploit this issue to crash an application using the vulnerable control, which causes a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47046 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47046/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 RELEASE DATE: 2011-11-29 DISCUSS ADVISORY: http://secunia.com/advisories/47046/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47046/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in multiple Schneider Electric products, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, and compromise a user's system. No further information is currently available. Successful exploitation of this vulnerability may allow execution of arbitrary code. 2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Certain unspecified input passed to the web portal is not properly verified before being used to read files and can be exploited to disclose arbitrary files via directory traversal attacks. The vulnerabilities are reported in the following products: * Vijeo Historian version 4.30 and prior. * CitectHistorian version 4.30 and prior. * CitectSCADA Reports version 4.10 and prior. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Kuang-Chun Hung, Security Research and Service Institute Information and Communication Security Technology Center (ICST) via ICS-CERT. ORIGINAL ADVISORY: Schneider Electric: http://www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-307-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Schneider Electric Vijeo Historian 4.30 and earlier, CitectHistorian 4.30 and earlier, and CitectSCADAReports 4.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vijeo Historian, CitectHistorian, and CitectSCADA Reports are prone to a cross-site-scripting vulnerability because they fail to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following applications are vulnerable: Vijeo Historian V4.30 and earlier CitectHistorian V4.30 and earlier CitectSCADA Reports V4.10 and earlier. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47046 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47046/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 RELEASE DATE: 2011-11-29 DISCUSS ADVISORY: http://secunia.com/advisories/47046/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47046/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in multiple Schneider Electric products, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, and compromise a user's system. 1) Two errors in the TeeChart ActiveX control can be exploited to cause buffer overflows. No further information is currently available. Successful exploitation of this vulnerability may allow execution of arbitrary code. 2) Certain unspecified input is not properly sanitised before being returned to the user. 3) Certain unspecified input passed to the web portal is not properly verified before being used to read files and can be exploited to disclose arbitrary files via directory traversal attacks. * CitectHistorian version 4.30 and prior. * CitectSCADA Reports version 4.10 and prior. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Kuang-Chun Hung, Security Research and Service Institute Information and Communication Security Technology Center (ICST) via ICS-CERT. ORIGINAL ADVISORY: Schneider Electric: http://www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-307-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the Steema TeeChart ActiveX control, as used in Schneider Electric Vijeo Historian 4.30 and earlier, CitectHistorian 4.30 and earlier, and CitectSCADAReports 4.10 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service via unspecified vectors. TeeChart Pro ActiveX is a full-featured graphical charting tool for business, science, engineering and statistics. TeeChart ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the application using the vulnerable control. Failed exploit attempts will result in a denial-of-service condition. If the attack fails, it may lead to denial of service. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47046 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47046/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 RELEASE DATE: 2011-11-29 DISCUSS ADVISORY: http://secunia.com/advisories/47046/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47046/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in multiple Schneider Electric products, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, and compromise a user's system. 1) Two errors in the TeeChart ActiveX control can be exploited to cause buffer overflows. No further information is currently available. Successful exploitation of this vulnerability may allow execution of arbitrary code. 2) Certain unspecified input is not properly sanitised before being returned to the user. 3) Certain unspecified input passed to the web portal is not properly verified before being used to read files and can be exploited to disclose arbitrary files via directory traversal attacks. The vulnerabilities are reported in the following products: * Vijeo Historian version 4.30 and prior. * CitectHistorian version 4.30 and prior. * CitectSCADA Reports version 4.10 and prior. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Kuang-Chun Hung, Security Research and Service Institute Information and Communication Security Technology Center (ICST) via ICS-CERT. ORIGINAL ADVISORY: Schneider Electric: http://www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-307-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in Schneider Electric Vijeo Historian 4.30 and earlier, CitectHistorian 4.30 and earlier, and CitectSCADAReports 4.10 and earlier allows remote attackers to read arbitrary files via unspecified vectors. Vijeo Historian, CitectHistorian, and CitectSCADA Reports are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks. The following applications are vulnerable: Vijeo Historian V4.30 and earlier CitectHistorian V4.30 and earlier CitectSCADA Reports V4.10 and earlier. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47046 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47046/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 RELEASE DATE: 2011-11-29 DISCUSS ADVISORY: http://secunia.com/advisories/47046/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47046/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47046 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in multiple Schneider Electric products, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, and compromise a user's system. 1) Two errors in the TeeChart ActiveX control can be exploited to cause buffer overflows. No further information is currently available. Successful exploitation of this vulnerability may allow execution of arbitrary code. 2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. * CitectHistorian version 4.30 and prior. * CitectSCADA Reports version 4.10 and prior. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Kuang-Chun Hung, Security Research and Service Institute Information and Communication Security Technology Center (ICST) via ICS-CERT. ORIGINAL ADVISORY: Schneider Electric: http://www.citect.com/index.php?option=com_content&view=article&id=1656&Itemid=1695 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-307-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Linksys WAG54GS Wireless Router is a wireless router device. A cross-site request forgery vulnerability exists in the Linksys WAG54GS Wireless Router. Because the program fails to properly validate user-submitted requests, an attacker can build a malicious URI, trick the user into parsing, and run privileged commands on the device, such as changing the configuration, performing a denial of service attack, or injecting arbitrary script code. Other attacks are also possible. Linksys WAG54GS running firmware 1.01.03 is vulnerable

Multiple buffer overflows in the (1) GUIControls, (2) BatchObjSrv, and (3) BatchSecCtrl ActiveX controls in Invensys Wonderware InBatch 9.0 and 9.0 SP1, and InBatch 8.1 SP1, 9.0 SP2, and 9.5 Server and Runtime Clients, allow remote attackers to execute arbitrary code via a long string in a property value, a different issue than CVE-2011-3141. Invensys Wonderware InBatch Server and runtime client (1) GUIControls , (2) BatchObjSrv ,and (3) BatchSecCtrl ActiveX The control contains a buffer overflow vulnerability. This vulnerability CVE-2011-3141 Is a different vulnerability.A third party may execute arbitrary code through an excessively long string of property values. Multiple stack-based buffer overflow vulnerabilities exist in Invensys Wonderware inBatch. An attacker could exploit this vulnerability to execute arbitrary code in the context of an application that uses ActiveX controls (usually Internet Explorer), which could result in a denial of service. Failed exploit attempts will result in a denial-of-service condition. Failure to do so may result in a denial of service