Read Time:8 Second
FEDORA-2024-da86a4f061
Packages in this update:
mingw-python-urllib3-1.26.19-1.fc40
Update description:
Update to 1.26.19, fixes CVE-2024-0444.
Daily Archives: June 21, 2024
mingw-python-urllib3-1.26.19-1.fc39
Read Time:8 Second
FEDORA-2024-73f181db2a
Packages in this update:
mingw-python-urllib3-1.26.19-1.fc39
Update description:
Update to 1.26.19, fixes CVE-2024-0444.
Microsoft leak of PlayReady developer / Warbird libs
Read Time:22 Second
Posted by Security Explorations on Jun 21
Hello All,
On Jun 11, 2024 Microsoft engineer posted on a public forum
information about a crash experienced with Apple TV service on a
Surface Pro 9 device [1].
The post had an attachment – a 771MB file (4GB unpacked), which leaked
internal code (260+ files [2]) pertaining to Microsoft PlayReady such
as the following:
– Warbird configuration for building PlayReady library
– Warbird library implementing code obfuscation functionality
– static…
ZDI-24-862: (Pwn2Own) Phoenix Contact CHARX SEC-3100 MQTT Protocol JSON Parsing Buffer Overflow Remote Code Execution Vulnerability
Read Time:14 Second
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.0. The following CVEs are assigned: CVE-2024-26001.
ZDI-24-863: (Pwn2Own) Phoenix Contact CHARX SEC-3100 plctool Improper Privilege Management Local Privilege Escalation Vulnerability
Read Time:18 Second
This vulnerability allows local attackers to escalate privileges on affected installations of Phoenix Contact CHARX SEC-3100 devices. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-26002.
ZDI-24-864: (Pwn2Own) Phoenix Contact CHARX SEC-3100 OCPP Protocol UpdateFirmware Command Injection Remote Code Execution Vulnerability
Read Time:14 Second
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-25998.
ZDI-24-865: Phoenix Contact CHARX SEC-3100 charx_pack_logs Improper Input Validation Local Privilege Escalation Vulnerability
Read Time:18 Second
This vulnerability allows local attackers to escalate privileges on affected installations of Phoenix Contact CHARX SEC-3100 charging controllers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-25999.
ZDI-24-866: (Pwn2Own) Phoenix Contact CHARX SEC-3100 CANopenDevice Null Pointer Dereference Denial-of-Service Vulnerability
Read Time:15 Second
This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2024-26004.
ZDI-24-867: (Pwn2Own) Phoenix Contact CHARX SEC-3100 CharxUpdateAgent Unrestricted File Upload Remote Code Execution Vulnerability
Read Time:14 Second
This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2024-25994.
ZDI-24-868: (Pwn2Own) Silicon Labs Gecko OS Debug Interface Stack-based Buffer Overflow Remote Code Execution Vulnerability
Read Time:13 Second
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Silicon Labs Gecko OS. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-23938.