This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-23920.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-23921.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-23968.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-23969.
This vulnerability allows network-adjacent attackers to compromise transport security on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2024-23970.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-23971.
What is the Attack?Threat actors are exploiting an authentication bypass vulnerability in ESXi hypervisors, known as CVE-2024-37085, to gain full administrative permissions on domain-joined ESXi hypervisors. This flaw allows threat actors to encrypt critical ESXi servers in ransomware attacks. On Monday, July 29, Microsoft published a threat intelligence blog on observed exploitation of CVE-2024-37085. According to the blog, Akira and Black Basta ransomware deployments were found on the impacted servers. The vulnerability has also been added to CISA’s Known Exploited Catalog (KEV) list on July 31, 2024.What is the recommended Mitigation?Please go through the vendor provided update to address the security vulnerability. Support Content Notification – Support Portal – Broadcom support portalWhat FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the patches released by the vendor immediately to secure their systems.FortiGuard Intrusion Prevention Service (IPS) protection is currently being investigated to defend against exploitation of CVE-2024-37085.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.To learn more about the Akira and BlackBasta Ransomware, read the Outbreak Reports posted by FortiGuard Labs. Black Basta Ransomware | Outbreak Alert | FortiGuard LabsAkira Ransomware | Outbreak Alert | FortiGuard Labs
xrdp-0.10.1-1.fc40
Release notes for xrdp v0.10.1 (2024/07/31)
General announcements
A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.
Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes
Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.
New features
GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)
Bug fixes
A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)
Internal changes
FreeBSD CI bumped to 13.3 (#3088, backport of #3104)
Changes for users
None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.
Changes for packagers or developers
None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.
xrdp-0.10.1-1.el9
Release notes for xrdp v0.10.1 (2024/07/31)
General announcements
A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.
Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes
Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.
New features
GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)
Bug fixes
A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)
Internal changes
FreeBSD CI bumped to 13.3 (#3088, backport of #3104)
Changes for users
None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.
Changes for packagers or developers
None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.
xrdp-0.10.1-1.fc39
Release notes for xrdp v0.10.1 (2024/07/31)
General announcements
A clipboard bugfix included in this release is sponsored by Krämer Pferdesport GmbH & Co KG. We very much appreciate the sponsorship.
Please consider sponsoring or making a donation to the project if you like xrdp. We accept financial contributions via Open Collective. Direct donations to each developer via GitHub Sponsors are also welcomed.
Security fixes
Unauthenticated RDP security scan finding / partial auth bypass (no CVE). Thanks to @txtdawg for reporting this.
New features
GFX-RFX lossy compression levels are now selectable depending on connection type on the client (#3183, backport of #2973)
Bug fixes
A regression in the code for creating the chansrv FUSE directory has been fixed (#3088, backport of #3082)
Fix a systemd dependency (“network-online.target”) (#3088, backport of #3086)
A problem in session list processing which could result in incorrect display assignments has been fixed (#3088, backport of #3103)
A problem in GFX resizing which could lead to a SEGV in xrdp has been fixed (#3088, backport of #3107)
A problem with the US Dvorak keyboard layout has been resolved (#3088, backport of #3112)
A regression bug when pasting image to LibreOffice has been fixed [Sponsored by Krämer Pferdesport GmbH & Co KG] (#3102 #3120)
Fix a regression when the server tries to negotiate GFX when max_bpp is not high enough (#3118 #3122)
Fix a GFX multi-monitor screen placing issue on minimise/maximize (#3075 #3127)
Fix an issue some files are not included properly in release tarball (#3149 #3150)
Using ‘I’ in the session selection policy now works correctly (#3167 #3171)
A potential name buffer overflow in the redirector has been fixed [no security implications] (#3175)
Screens wider than 4096 pixels should now be supported (#3083)
An unnecessary licensing exchange during connection setup has been removed. This was causing problems for FIPS-compliant clients (#3132 backport of #3143)
Internal changes
FreeBSD CI bumped to 13.3 (#3088, backport of #3104)
Changes for users
None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.
Changes for packagers or developers
None since v0.10.0.
If moving from v0.9.x, read the v0.10.0 release note.
