Home / Advisories / KLCERT advisories

KLCERT advisories

KLCERT-20-017: Session Information Exposure in ARC Informatique PcVue

09 October 2020

An information exposure vulnerability exists in PcVue 12, allowing a non-authorized user to access session data of legitimate users.
KLCERT-20-016: Denial-of-Service in ARC Informatique PcVue

09 October 2020

A Denial Of Service vulnerability exists in PcVue from version 8.10 onward, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.
KLCERT-20-015: Remote Code Execution in ARC Informatique PcVue

09 October 2020

A Remote Code Execution vulnerability exists in PcVue from version 8.10 onward, due to the unsafe deserialization of messages received on the interface.
KLCERT-20-014: Session token exposed in Honeywell ControlEdge PLC and RTU

23 June 2020

Exposed session token in Honeywell ControlEdge PLC and RTU.
KLCERT-20-013: Unencypted password transmission in Honeywell ControlEdge PLC and RTU

23 June 2020

Unencrypted password transmission on the network in Honeywell ControlEdge PLC and RTU.
KLCERT-20-012: Missing Authentication in Emerson OpenEnterprise SCADA before 3.3.4

20 May 2020

Missing Authentication in Emerson OpenEnterprise SCADA versions before 3.3.4 might lead to arbitrary code execution. The affected components may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.
KLCERT-20-011: Inadequate Encryption Strength in Emerson OpenEnterprise SCADA before 3.3.4

20 May 2020

Inadequate Encryption Strength in Emerson OpenEnterprise SCADA versions before 3.3.4. Inadequate encryption may allow the passwords for OpenEnterprise user accounts to be obtained.
KLCERT-20-010: Improper Ownership Management in Emerson OpenEnterprise SCADA before 3.3.4

20 May 2020

Improper Ownership Management in Emerson OpenEnterprise SCADA versions before 3.3.4. Inadequate folder security permissions may allow modification of important configuration files which could cause the system to fail or behave in an unpredictable manner.
KLCERT-20-009: Remote Code Execution on LibVNC version prior to 0.9.12

23 March 2020

LibVNC client code contains heap buffer overflow vulnerability in commit prior to 6073771eed1caf72f196e410182471e0dfd32149. This could possible result into remote code execution. This attack appear to be exploitable via network connectivity. The issue has been fixed in commit 54220248886b5001fbbb9fa73c4e1a2cb9413fed.
KLCERT-20-008: Remote Code Execution on TigerVNC version prior to 1.10.1

23 March 2020

TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.