You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 14, 2024. It is now read-only.
"Description": "CWE 798: \u200bUse of Hard-Coded Credentials - CVE\u20132018-5399\nThe DCU 210E firmware contains an undocumented Dropbear SSH server with a hardcoded username and password. The password is easily susceptible to cracking. CWE-346:\u200bOrigin Validation Error - CVE\u20132018-5400\nThe Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. CWE-319:\u200b Cleartext Transmission of Sensitive Information - CVE\u20132018-5401\nThe devices transmit process control information via unencrypted Modbus communications. CWE-319:\u200b Cleartext Transmission of Sensitive Information - CVE\u20132018-5402\nThe embedded webserver uses unencrypted plaintext for the transmission of the administrator PIN.",
45
45
"ID": "VU#176301",
@@ -50,7 +50,7 @@
50
50
"Overview": "Auto-Maskin RP remote panels and DCU controls units are used to monitor and control ship engines. The units have several authentication and encryption vulnerabilities which can allow attackers to access the units and control connected engines.",
51
51
"References": "",
52
52
"Resolution": "CERT/CC is currently unaware of an update to address the vulnerabilities.",
53
-
"Revision": 14,
53
+
"Revision": 16,
54
54
"SystemsAffectedPreamble": "",
55
55
"ThanksAndCredit": "Thanks to Brian Satira and Brian Olson for reporting this vulnerability.",
56
56
"Title": "Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App",
"Description": "CWE-306: Missing Authentication for Critical Function - CVE-2018-5393 EAP Controller for Linux utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode. CWE-502: Deserialization of Untrusted Data - CVE-2015-6420 EAP Controller for Linux bundles a vulnerable version of Apache commons-collections v3.2.1 with the software, which appears to be the root cause of the vulnerability. Therefore, EAP Controller v2.5.3 and earlier are vulnerable to CVE-2015-6420 as documented in VU#576313. EAP Controller v2.5.3 and earlier for Linux are affected by both vulnerabilities.",
43
43
"ID": "VU#581311",
@@ -59,8 +59,8 @@
59
59
"http://cwe.mitre.org/data/definitions/306.html",
60
60
"http://cwe.mitre.org/data/definitions/502.html"
61
61
],
62
-
"Resolution": "There is currently no available update to EAP Controller to fully address the vulnerability. However, affected users may take the following actions to help mitigate and reduce risk. As described in VU#576313, updating the vulnerable libraries does not necessarily eliminate the vulnerability in all scenarios.",
63
-
"Revision": 97,
62
+
"Resolution": "The Omada Controller software v3.0.2 and later are not affected by this issue. Software download is available on the TP-Link support website. If older software must be used, users can help mitigate and reduce risk by updating the vulnerable libraries does not necessarily eliminate the vulnerability in all scenarios, as described in As described in VU#576313.",
63
+
"Revision": 103,
64
64
"SystemsAffectedPreamble": "",
65
65
"ThanksAndCredit": "Thanks to Liu Zhu, of Huawei Weiran Lab for reporting this vulnerability.",
66
66
"Title": "TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks",
"Description": "Pixar's Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability (CWE-79) in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert JavaScript into this note field that is then saved and displayed to the end user.",
40
+
"ID": "VU#756913",
41
+
"IDNumber": "756913",
42
+
"IPProtocol": "",
43
+
"Impact": "An authenticated attacker might include JavaScript that could execute on an authenticated user's system, which could lead to website redirects, session cookie hijacking, social engineering, and other impacts. Since the attacker's script is stored with the information about the node, all other users with access to this data are also vulnerable.",
44
+
"Keywords": [
45
+
"Pixar",
46
+
"Tractor",
47
+
"rendering software",
48
+
"stored XSS",
49
+
"CVE-2018-5411"
50
+
],
51
+
"Overview": "Pixar's Tractor network rendering software is vulnerable to stored cross-site scripting which may allow an attacker to execute arbitrary JavaScript.",
52
+
"References": [
53
+
"https://cwe.mitre.org/data/definitions/79.html",
54
+
"https://renderman.pixar.com/product/tractor"
55
+
],
56
+
"Resolution": "Apply an update\nPixar has released an updated version of this software that addresses this vulnerability, Tractor version 2.3 (build 1923604). Affected users should update to this version.",
57
+
"Revision": 55,
58
+
"SystemsAffectedPreamble": "",
59
+
"ThanksAndCredit": "Thanks to the reporter who wishes to remain anonymous.",
60
+
"Title": "Pixar Tractor contains a stored cross-site scripting vulnerability",
0 commit comments