Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have firmware that does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.
ce155e50978552faf0e472116a9c5ce4f975a3420fd6632369708f93d1554c2aBarco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have a hardcoded root password hash included in the firmware image.
75cc1a2f773099f090db6e25b10a5322af43049d1ef7d2035e513c189b3011edBarco wePresent WiPG-1600W version 2.5.1.8 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.
a366665beb0a2a41a9a77ce23a19d8837b9d6bfef4a80c4bbf011cf9589c7bc4The Barco wePresent WiPG-1600W version 2.5.1.8 web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.
77ed3fcf16f9ea1209c2673adba8c737e13b77a283c9ea2dfab06836d2aa7ddeAn attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 2.5.1.8.
d17ea5576bc764da9307b56d3e500fe6c4d6a46a6d607ac07eeebd256034d86cBarco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Versions affected include 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19.
22801e1943167d9cae8f39b9e75645ceb62540439a7d2d3cf58ea0fee603d235Vtiger CRM version 7.0 suffers from a persistent cross site scripting vulnerability.
b6606ef09af1c9523d1149be28331dbea51e97efd4902acd769b67310ccac2c5This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.
b5c77494a3939a1827cb333698735a7315890ad559b41cca1a66fcbd96bc0b9eIBM Tivoli Storage Manager version 5.2.0.1 suffers from a command line administrative interface buffer overflow vulnerability.
d91298d7cdf3ea61c60282fd007270f738d9bc1b835db1fe81301d040f3df2bfBoxoft Convert Master version 1.3.0 SEH local buffer overflow exploit.
47080b28a8e6f189781fc5c7cf47144a2979d43b700a2d3c2a02da8c54e85bcdWonder CMS version 3.1.3 suffers from a persistent cross site scripting vulnerability.
ccccd9ed98df37b0b7a126ce3016965c698022509b6de871a00456304fad8878NetSurveillance version 4.02.R11.00000140.10001.131900.00000 allows for an unauthenticated password change when no default security questions are set.
fd6228be6ec00b50ecd7051a15b7ee6d6dab5137e53bd49f35b84c6cdb78e569Zortam MP3 Media Studio version 27.60 suffers from a code execution vulnerability.
0c44dc348d50e18cbc6ca452a51654910cc7056e24192001ae9b51ca1edf22a1This Metasploit module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8. By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.
2fc82acea7b95409d6f96c56885e269103215f19b294a61787c2ac74dca93a0fUbuntu Security Notice 4637-2 - USN-4637-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubuntu 16.04 LTS. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across origins, bypass security restrictions, conduct phishing attacks, conduct cross-site scripting attacks, bypass Content Security Policy restrictions, conduct DNS rebinding attacks, or execute arbitrary code. Various other issues were also addressed.
4f713adabc152105077747045996121534ba7401875c9364bf618c591b2cdb5cUbuntu Security Notice 4639-1 - It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive files. It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this for an XSS attack. It was discovered that phpMyAdmin mishandled certain input. An attacker could use this vulnerability to execute a cross-site scripting attack via a crafted URL. Various other issues were also addressed.
0779e7fa341ac78947934c261f4952b8924a503204b0c78b2229b84b8e1cf6f8
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed