The following provides resources on the latest vulnerabilities, exploits and their remediation that has been identified by the NIST Information Technology Laboratory’s National Vulnerability Database (NVD) and Common Vulnerabilities Exposure (CVE) repositories.
- Cybersecurity and Infrastructure Security Agency Alerts
Cybersecurity and Infrastructure Security Agency (CISA) alerts provide timely information about current security issues, vulnerabilities, and exploits.
- Keysight N6845A Geolocation Server1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Keysight Technologies Equipment: N6854A Geolocation Sever Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to escalate privileges in the affected device’s default configuration, resulting in remote code execution or deleting system files and folders.… Read more »
- Siemens RADIUS Client of SIPROTEC 5 DevicesAs of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 7.5… Read more »
- Siemens SCALANCE Third-PartyAs of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3… Read more »
- CISA Releases Eight Industrial Control Systems AdvisoriesCISA released eight Industrial Control Systems (ICS) advisories on March 21, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-080-01 Keysight N6854A Geolocation Server and N6841A RF Sensor ICSA-23-080-02 Delta Electronics InfraSuite Device Master ICSA-23-080-03 Siemens RUGGEDCOM APE1808 Product Family ICSA-23-080-04 Siemens RADIUS… Read more »
- CISA Releases Updated Cybersecurity Performance GoalsContent: Today, we published stakeholder-based updates to the Cybersecurity Performance Goals (CPGs). Originally released last October, the CPGs are voluntary practices that businesses and critical infrastructure owners can take to protect themselves against cyber threats. The CPGs have been reorganized, reordered and renumbered to align closely with NIST CSF functions… Read more »
- Common Vulnerabilities Exposure
Common Vulnerabilities Exposure is a list of entries - each containing an identification number, a description, and at least one public reference - for publicly known cybersecurity vulnerabilities.
- National Vulnerability Database
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
- CVE-2023-1306An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. Read more »
- CVE-2023-1305An authenticated attacker can leverage an exposed “boxâ€� object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of… Read more »
- CVE-2023-25684IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 247597. Read more »
- CVE-2023-1304An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed… Read more »
- CVE-2023-27570The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie. Read more »