Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 5 hours 30 min ago

Microsoft Warbird and PMP security research - technical doc

3 December, 2024 - 04:10

Posted by Security Explorations on Dec 03

Hello All,

We have released a technical document pertaining to our Warbird / PMP security
research. It is available for download from this location:

https://security-explorations.com/materials/wbpmp_doc.md.txt

The document provides a more in-depth technical explanation, illustration and
verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64
and pertaining to the following in particular:
- Warbird deficiencies
- content...

Access Control in Paxton Net2 software

2 December, 2024 - 23:37

Posted by Jeroen Hermans via Fulldisclosure on Dec 02

CloudAware Security Advisory

[CVE pending]: Potential PII leak and incorrect access control in Paxton
Net2 software

========================================================================
Summary
========================================================================
Insecure backend database in the Paxton Net2 software. Possible leaking
of PII incorrect access control.
No physical access to computer running Paxton Net2 is required....

SEC Consult SA-20241127-0 :: Stored Cross-Site Scripting in Omada Identity (CVE-2024-52951)

27 November, 2024 - 13:58

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 27

SEC Consult Vulnerability Lab Security Advisory < 20241127-0 >
=======================================================================
title: Stored Cross-Site Scripting
product: Omada Identity
vulnerable version: <v15U1, <v14.14 hotfix #309
fixed version: v15U1, v14.14 hotfix #309
CVE number: CVE-2024-52951
impact: Medium
homepage:...

SEC Consult SA-20241125-0 :: Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element, Siemens CP-2016 & CP-2019

27 November, 2024 - 13:58

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 27

SEC Consult Vulnerability Lab Security Advisory < 20241125-0 >
=======================================================================
title: Unlocked JTAG interface and buffer overflow
product: Siemens SM-2558 Protocol Element (extension module for
Siemens SICAM AK3/TM/BC),
Siemens CP-2016 & CP-2019
vulnerable version: JTAG: Unknown HW revision, Zynq Firmware...

Re: Local Privilege Escalations in needrestart

27 November, 2024 - 13:57

Posted by Mark Esler on Nov 27

The security fix for CVE-2024-48991, 6ce6136 (“core: prevent race
condition on /proc/$PID/exec evaluation”) [0], introduced a regression
which was subsequently fixed 42af5d3 ("core: fix regression of false
positives for processes running in chroot or mountns (#317)") [1].

Many thanks to Ivan Kurnosov and Salvatore Bonaccorso for their review.

[0] https://github.com/liske/needrestart/commit/6ce6136cccc307c6b8a0f8cae12f9a22ac2aad59...

APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1

21 November, 2024 - 14:31

Posted by Apple Product Security via Fulldisclosure on Nov 21

APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1

macOS Sequoia 15.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121753.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

JavaScriptCore
Available for: macOS Sequoia
Impact: Processing maliciously crafted web content may lead to arbitrary...

Local Privilege Escalations in needrestart

21 November, 2024 - 14:31

Posted by Qualys Security Advisory via Fulldisclosure on Nov 21

Qualys Security Advisory

LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992,
CVE-2024-10224, and CVE-2024-11003)

========================================================================
Contents
========================================================================

Summary
Background
CVE-2024-48990 (and CVE-2024-48992)
CVE-2024-48991
CVE-2024-10224 (and CVE-2024-11003)
Mitigation
Acknowledgments
Timeline

I got bugs...

APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2

21 November, 2024 - 14:31

Posted by Apple Product Security via Fulldisclosure on Nov 21

APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2

iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121754.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

JavaScriptCore
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
2nd generation...

APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1

21 November, 2024 - 14:31

Posted by Apple Product Security via Fulldisclosure on Nov 21

APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1

iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121752.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

JavaScriptCore
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation...

APPLE-SA-11-19-2024-2 visionOS 2.1.1

21 November, 2024 - 14:31

Posted by Apple Product Security via Fulldisclosure on Nov 21

APPLE-SA-11-19-2024-2 visionOS 2.1.1

visionOS 2.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121755.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

JavaScriptCore
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to arbitrary
code...

APPLE-SA-11-19-2024-1 Safari 18.1.1

21 November, 2024 - 14:31

Posted by Apple Product Security via Fulldisclosure on Nov 21

APPLE-SA-11-19-2024-1 Safari 18.1.1

Safari 18.1.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121756.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

JavaScriptCore
Available for: macOS Ventura and macOS Sonoma
Impact: Processing maliciously crafted web content may lead to...

Reflected XSS - fronsetiav1.1

21 November, 2024 - 14:31

Posted by Andrey Stoykov on Nov 21

# Exploit Title: Reflected XSS - fronsetiav1.1
# Date: 11/2024
# Exploit Author: Andrey Stoykov
# Version: 1.1
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.html

Reflected XSS #1 - "show_operations.jsp"

Steps to Reproduce:

1. Visit main page of the application.
2. In the input field of "WSDL Location" enter the following payload "><img
src=x...

XXE OOB - fronsetiav1.1

21 November, 2024 - 14:31

Posted by Andrey Stoykov on Nov 21

# Exploit Title: XXE OOB - fronsetiav1.1
# Date: 11/2024
# Exploit Author: Andrey Stoykov
# Version: 1.1
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.html

XXE OOB

Description:

- It was found that the application was vulnerable XXE (XML External Entity
Injection)

Steps to Reproduce:

1. Add Python3 server to serve malicious XXE payload
2. Add a file on the file system to be read...

St. Poelten UAS | Path Traversal in Korenix JetPort 5601

21 November, 2024 - 14:30

Posted by Weber Thomas via Fulldisclosure on Nov 21

St. Pölten UAS 20241118-1
-------------------------------------------------------------------------------
title| Path Traversal
product| Korenix JetPort 5601
vulnerable version| 1.2
fixed version| -
CVE number| CVE-2024-11303
impact| High
homepage| https://www.korenix.com/
found| 2024-05-24
by| P. Oberndorfer, B. Tösch, M....

St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro

21 November, 2024 - 14:30

Posted by Weber Thomas via Fulldisclosure on Nov 21

St. Pölten UAS 20241118-0
-------------------------------------------------------------------------------
title| Multiple Stored Cross-Site Scripting
product| SEH utnserver Pro
vulnerable version| 20.1.22
fixed version| 20.1.35
CVE number| CVE-2024-11304
impact| High
homepage| https://www.seh-technology.com/
found| 2024-05-24
by| P....

Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionOS/watchOS)

21 November, 2024 - 14:29

Posted by Nosebeard Labs on Nov 21

Dear colleagues,

Nosebeard Labs is pleased to share its latest advisory, detailing a
bypass of Apple's system wide web content filter. The HTML version of
this advisory is also available at:
https://nosebeard.co/advisories/nbl-001.html

Warmest regards,
Nosebeard Labs

## Summary
Nosebeard Labs Security Advisory NBL-001
Title: Apple web content filter bypass allows unrestricted access to
blocked content...

SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)

12 November, 2024 - 22:43

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 12

SEC Consult Vulnerability Lab Security Advisory < 20241112-0 >
=======================================================================
title: Multiple vulnerabilities
product: Siemens Energy Omnivise T3000
vulnerable version: >=8.2 SP3
fixed version: see solution section
CVE number: CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879
impact: High...

Security issue in the TX Text Control .NET Server for ASP.NET.

12 November, 2024 - 22:43

Posted by Filip Palian on Nov 12

Hej,

Let's keep it short ...

=====

Intro

=====

A "sudo make me a sandwich" security issue has been identified in the TX
Text

Control .NET Server for ASP.NET[1].

According to the vendor[2], "the most powerful, MS Word compatible document

editor that runs in all browsers".

Likely all versions are affected however, it was not confirmed.

=====

Issue

=====

It was possible to change the configured system path for...

SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater

9 November, 2024 - 22:17

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 09

SEC Consult Vulnerability Lab Security Advisory < 20241107-0 >
=======================================================================
title: Multiple Vulnerabilities
product: HASOMED Elefant and Elefant Software Updater
vulnerable version: <24.04.00, Elefant Software Updater <1.4.2.1811
fixed version: 24.04.00, Elefant Software Updater 1.4.2.1811
CVE number: CVE-2024-50588,...

Unsafe eval() in TestRail CLI

6 November, 2024 - 22:17

Posted by Devin Cook on Nov 06

This is not a very exciting vulnerability, but I had already publicly disclosed
it on GitHub at the request of the vendor. Since that report has disappeared,
the link I had provided to MITRE was invalid, so here it is again.

-Devin

---

# Unsafe `eval()` in TestRail CLI FieldsParser

Date Reported: 2024-10-03
CVSSv3.1 Score: 7.3
CVSSv3.1 Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Severity: Medium
Vulnerability Class: Eval Injection

## Summary...