Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2016-9333 — Moxa Softcms: The SoftCMS Application does not properly sanitize input that may allow a remote attacker
An issue was discovered in Moxa SoftCMS versions prior to Version 1.6. The SoftCMS Application does not properly sanitize input that may allow a remote attacker access to SoftCMS with administrator's privilege through specially crafted input (SQL INJECTION). CVSSv3.1 9.8 (CRITICAL)
CVE-2016-8567 — Siemens Sicam_pas\/pqs: A factory account with hard-coded passwords is present in the SICAM PAS installations.
An issue was discovered in Siemens SICAM PAS before 8.00. A factory account with hard-coded passwords is present in the SICAM PAS installations. Attackers might gain privileged access to the database over Port 2638/TCP. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-8379 — Moxa Iologik_e1200_series_firmware: An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik
An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, f CVSSv3.1 8.1 (HIGH)
CVE-2016-8378 — Lynxspring Jenesys_bas_bridge: An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older.
An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application's database lacks sufficient safeguards for protecting credentials. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-8377 — Fatek Plc_winproladder_firmware: A stack-based buffer overflow vulnerability exists when the software application connects to a malicious
An issue was discovered in Fatek Automation PLC WinProladder Version 3.11 Build 14701. A stack-based buffer overflow vulnerability exists when the software application connects to a malicious server, resulting in a stack buffer overflow. This causes an exploitable Structured Exception Handler (SEH) overwrite condition that may allow remote code execution. CVSSv3.1 8.0 (HIGH)
CVE-2016-8372 — Moxa Iologik_e1200_series_firmware: An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik
An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, f CVSSv3.1 8.1 (HIGH)
CVE-2016-8369 — Lynxspring Jenesys_bas_bridge: The application does not sufficiently verify if a request was intentionally provided by the
An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request (CROSS-SITE REQUEST FORGERY). CVSSv3.1 8.8 (HIGH)
CVE-2016-8368 — Mitsubishielectric Qj71e71-100_firmware: The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow
An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock. CVSSv3.1 8.6 (HIGH)
CVE-2016-8364 — Ibhsoftec S7-softplc: Object memory can read a network packet that is larger than the space that
An issue was discovered in IBHsoftec S7-SoftPLC prior to 4.12b. Object memory can read a network packet that is larger than the space that is available, a Heap-based Buffer Overflow. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-8363 — Moxa Oncellg3470a-lte_firmware: An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series
An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. User is able to execute arbitrary OS commands on the server. CVSSv3.1 10.0 (CRITICAL)
CVE-2016-8361 — Lynxspring Jenesys_bas_bridge: The application uses a hard-coded username with no password allowing an attacker into the
An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application uses a hard-coded username with no password allowing an attacker into the system without authentication. CVSSv3.1 8.6 (HIGH)
CVE-2016-8360 — Moxa Softcms: A specially crafted URL request sent to the SoftCMS ASP Webserver can cause a
An issue was discovered in Moxa SoftCMS versions prior to Version 1.6. A specially crafted URL request sent to the SoftCMS ASP Webserver can cause a double free condition on the server allowing an attacker to modify memory locations and possibly cause a denial of service or the execution of arbitrary code. CVSSv3.1 8.1 (HIGH)
CVE-2016-8356 — Kabona_ab Webdatorcentral: The web server URL inputs are not sanitized correctly, which may allow cross-site scripting
An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. The web server URL inputs are not sanitized correctly, which may allow cross-site scripting vulnerabilities. CVSSv3.1 8.2 (HIGH)
CVE-2016-8352 — Schneider-electric Connexium_firmware: A stack-based buffer overflow can be triggered during the SNMP login authentication process that
An issue was discovered in Schneider Electric ConneXium firewalls TCSEFEC23F3F20 all versions, TCSEFEC23F3F21 all versions, TCSEFEC23FCF20 all versions, TCSEFEC23FCF21 all versions, and TCSEFEC2CF3F20 all versions. A stack-based buffer overflow can be triggered during the SNMP login authentication process that may allow an attacker to remotely execute code. CVSSv3.1 10.0 (CRITICAL)
CVE-2016-8348 — Emerson Liebert_sitescan_web: An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version
An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-8347 — Kabona_ab Webdatorcentral: WDC does not limit authentication attempts that may allow a brute force attack method.
An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. WDC does not limit authentication attempts that may allow a brute force attack method. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-8341 — Ecava Integraxor: The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection.
An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host's database could be subject to read, write, and delete commands. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-5818 — Schneider-electric Powerlogic_pm8ecc_firmware: Undocumented hard-coded credentials allow access to the device.
An issue was discovered in Schneider Electric PowerLogic PM8ECC device 2.651 and older. Undocumented hard-coded credentials allow access to the device. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-5815 — Schneider-electric Ion5000: An unauthorized user can access the device management portal and make configuration changes.
An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-5809 — Schneider-electric Ion5000: There is no CSRF Token generated to authenticate the user during a session.
An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved. CVSSv3.1 8.8 (HIGH)
CVE-2016-5803 — Ca_technologies Unified_infrastructure_management: An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier.
An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier. The Unified Infrastructure Management software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. CVSSv3.1 8.6 (HIGH)
CVE-2016-5796 — Fatek Automation_fv_designer: Sending additional valid packets could allow the attacker to cause a crash or to
An issue was discovered in Fatek Automation PM Designer V3 Version 2.1.2.2, and Automation FV Designer Version 1.2.8.0. Sending additional valid packets could allow the attacker to cause a crash or to execute arbitrary code, because of Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSSv3.1 8.8 (HIGH)
CVE-2016-5782 — Locusenergy Lgate_firmware: An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate
An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate 100, LGate 101, LGate 120, and LGate 320. Locus Energy meters use a PHP script to manage the energy meter parameters for voltage monitoring and network configuration. The PHP code does not properly validate information that is sent in the POST request. CVSSv3.1 8.6 (HIGH)
CVE-2016-8859 — Etalabs Musl: Multiple integer overflows in the TRE library and musl libc allow attackers to cause
Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-7565 — Exponentcms Exponent_cms: install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell
install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter. CVSSv3.1 9.8 (CRITICAL)