SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in Visual Planning

Read Time:20 Second

Posted by Lennert Preuth via Fulldisclosure on Apr 05

Title
=====

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in
Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49234

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8…

Read More

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset Functionality in Visual Planning

Read Time:19 Second

Posted by Lennert Preuth via Fulldisclosure on Apr 05

Title
=====

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset
Functionality in Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49232

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt

Affected products/vendor
========================

All versions prior to Visual…

Read More

Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed

Read Time:42 Second

It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol:

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations.

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and ­ if known ­ the attacker’s identity.

This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking.

I have written about this over the past decade.

Read More

A Vulnerability in Broadcom Brocade Fabric OS Could Allow for Arbitrary Code Execution

Read Time:27 Second

A vulnerability has been discovered in Broadcom Brocade Fabric OS that could allow for arbitrary code execution. Broadcom Brocade Fabric OS is the storage area networking firmware for Brocade Communications Systems’ Fibre Channel switch and Fibre Channel directors. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user or obtain root level privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Read More