The ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements. Date published : 2022-03-23 https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831...
A deserialization vulnerability exists in how the AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk...
Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker...
Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control. Date published : 2022-03-23 https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01 https://www.philips.com/productsecurity
GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR. Date published...
GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before...
GE UR IED firmware versions prior to version 8.1x with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user. Date...
GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information....
GE UR firmware versions prior to version 8.1x web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication. Date published : 2022-03-23 https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 https://www.gegridsolutions.com/Passport/Login.aspx
GE UR firmware versions prior to version 8.1x web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported...
GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used...
BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown – back to 9.1.0, including Supported...
OWASP Zed Attack Proxy (ZAP) through w2022-03-21 does not verify the TLS certificate chain of an HTTPS server. Date published : 2022-03-23 https://github.com/zaproxy/zaproxy/releases https://www.openwall.com/lists/oss-security/2022/03/23/1
GNOME OCRFeeder before 0.8.4 allows OS command injection via shell metacharacters in a PDF or image filename. Date published : 2022-03-23 https://gitlab.gnome.org/GNOME/ocrfeeder/-/merge_requests/13