» 2022 » 9월

CVE-2022-40912

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-40912

ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting (XSS). Input passed to the GET parameter ‘action’ is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.

Source: CVE-2022-40912

CVE-2022-40082

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-40082

Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function.

Source: CVE-2022-40082

CVE-2022-28813

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-28813

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device.

Source: CVE-2022-28813

CVE-2022-28814

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-28814

Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device.

Source: CVE-2022-28814

CVE-2022-28811

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-28811

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands.

Source: CVE-2022-28811

CVE-2022-22525

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-22525

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function

Source: CVE-2022-22525

CVE-2022-28815

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-28815

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.

Source: CVE-2022-28815

CVE-2022-22524

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-22524

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .

Source: CVE-2022-22524

CVE-2022-28816

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-28816

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

Source: CVE-2022-28816

CVE-2022-39261

Posted on 2022년 9월 28일2022년 9월 29일 by admin

CVE-2022-39261

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates’ directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Source: CVE-2022-39261