Updated CVEs from Tenable

Severity Not Scored Description Digital Alert Systems’ DASDEC software prior to version 4.1 contains a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the SSH username, username field of the login page, or via the HTTP host header. The injected content is stored in logs and rendered when viewed in the web application. Read more at https://www.tenable.com/cve/CVE-2019-18265

Severity Not Scored Description perfSONAR v4.x Read more at https://www.tenable.com/cve/CVE-2022-41413

High Severity Description LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength. Read more at https://www.tenable.com/cve/CVE-2020-15503

Severity Not Scored Description The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor’s ID is BSECV-2022-21. Read more at https://www.tenable.com/cve/CVE-2022-40282

High Severity Description Microsoft Exchange Server Elevation of Privilege Vulnerability. Read more at https://www.tenable.com/cve/CVE-2022-41040

High Severity Description Microsoft Exchange Server Remote Code Execution Vulnerability. Read more at https://www.tenable.com/cve/CVE-2022-41082

Severity Not Scored Description An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks. Read more at https://www.tenable.com/cve/CVE-2022-41412

Critical Severity Description AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine. Read more at https://www.tenable.com/cve/CVE-2019-6543

Medium Severity Description IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content. IBM X-Force ID: 163226. Read more at https://www.tenable.com/cve/CVE-2019-4442

Critical Severity Description Moxa IKS and EDS fails to properly check array bounds which may allow an attacker to read device memory on arbitrary addresses, and may allow an attacker to retrieve sensitive data or cause device reboot. Read more at https://www.tenable.com/cve/CVE-2019-6522

Medium Severity Description In Philips Tasy EMR, Tasy EMR Versions 3.02.1744 and prior, the software incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Read more at https://www.tenable.com/cve/CVE-2019-6562

Medium Severity Description Moxa IKS and EDS fails to properly validate user input, giving unauthenticated and authenticated attackers the ability to perform XSS attacks, which may be used to send a malicious script. Read more at https://www.tenable.com/cve/CVE-2019-6565

High Severity Description Cross-site request forgery has been identified in Moxa IKS and EDS, which may allow for the execution of unauthorized actions on the device. Read more at https://www.tenable.com/cve/CVE-2019-6561

Medium Severity Description Moxa IKS and EDS allow remote authenticated users to cause a denial of service via a specially crafted packet, which may cause the switch to crash. Read more at https://www.tenable.com/cve/CVE-2019-6559

Critical Severity Description GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user. Read more at https://www.tenable.com/cve/CVE-2019-6548

High Severity Description Cscape, 9.80 SP4 and prior. An improper input validation vulnerability may be exploited by processing specially crafted POC files. This may allow an attacker to read confidential information and remotely execute arbitrary code. Read more at https://www.tenable.com/cve/CVE-2019-6555

Critical Severity Description Several buffer overflow vulnerabilities have been identified in Moxa IKS and EDS, which may allow remote code execution. Read more at https://www.tenable.com/cve/CVE-2019-6557

Medium Severity Description Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.84 and prior. An out-of-bounds read vulnerability may cause the software to crash due to lacking user input validation for processing project files. Read more at https://www.tenable.com/cve/CVE-2019-6547

High Severity Description GE Communicator, all versions prior to 4.0.517, allows an attacker to place malicious files within the working directory of the program, which may allow an attacker to manipulate widgets and UI elements. Read more at https://www.tenable.com/cve/CVE-2019-6546

Medium Severity Description A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. Read more at https://www.tenable.com/cve/CVE-2019-3901

Medium Severity Description In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the “delete_compute_resource” permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable. Read more at https://www.tenable.com/cve/CVE-2019-3893

Medium Severity Description A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens. Read more at https://www.tenable.com/cve/CVE-2019-3876

Critical Severity Description Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution. Read more at https://www.tenable.com/cve/CVE-2019-14842

Critical Severity Description Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1. Read more at https://www.tenable.com/cve/CVE-2019-7304

High Severity Description An Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability exists in Modicon Quantum 140 NOE771x1 version 6.9 and earlier, which could cause denial of service when the module receives an IP fragmented packet with a length greater than 65535 bytes. The module then requires a power cycle to recover. Read more at https://www.tenable.com/cve/CVE-2019-6811

Medium Severity Description A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion Server (MEG6501-0001 – U.motion KNX server, MEG6501-0002 – U.motion KNX Server Plus, MEG6260-0410 – U.motion KNX Server Plus, Touch 10, MEG6260-0415 – U.motion KNX Server Plus, Touch 15), which could allow an attacker to inject client-side script when a user visits a web page. Read more at https://www.tenable.com/cve/CVE-2019-6835

Critical Severity Description A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in U.motion Server (MEG6501-0001 – U.motion KNX server, MEG6501-0002 – U.motion KNX Server Plus, MEG6260-0410 – U.motion KNX Server Plus, Touch 10, MEG6260-0415 – U.motion KNX Server Plus, Touch 15), which could cause server configuration data to be exposed when an attacker modifies a URL. Read more at https://www.tenable.com/cve/CVE-2019-6837

Critical Severity Description A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6501-0001 – U.motion KNX server, MEG6501-0002 – U.motion KNX Server Plus, MEG6260-0410 – U.motion KNX Server Plus, Touch 10, MEG6260-0415 – U.motion KNX Server Plus, Touch 15), which could allow an attacker to send a crafted message to the target server, thereby causing arbitrary commands to be executed. Read more at https://www.tenable.com/cve/CVE-2019-6840

Critical Severity Description A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface. Read more at https://www.tenable.com/cve/CVE-2019-6957

High Severity Description In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with “CWD ../” and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker. Read more at https://www.tenable.com/cve/CVE-2019-7227