Advisories

KLCERT-18-027: LibVNC Heap Use-After-Free

19 December 2018

LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in 73cb96fec028a576a5a24417b57723b55854ad7b and later.
KLCERT-18-026: LibVNC Heap Use-After-Free

19 December 2018

LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in ca2a5ac02fbbadd0a21fabba779c1ea69173d10b and later.
KLCERT-18-025: General Electric Proficy GDS XML eXternal Entity (XXE)

07 December 2018

An XXE injection vulnerability leads to path traversal inside the Proficy server. An attacker may be able to initiate an OPC UA session and retrieve an arbitrary file from the targeted system.
KLCERT-18-024: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Remote Code Execution

18 October 2018

Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker can execute arbitrary code using command string injection.
KLCERT-18-023: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Hidden Token Access

18 October 2018

Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker could gain root privileges and execute arbitrary code using a hidden API token.
KLCERT-18-022: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Sensitive Information Stored in Clear Text

18 October 2018

Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker is able to recover access tokens.
KLCERT-18-021: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Password Management Issue

18 October 2018

Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker is able to change the user’s password.
KLCERT-18-020: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Broken Access Control

18 October 2018

Broken access control in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker can escalate privileges using broken access control.
KLCERT-18-019: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: User Privilege Escalation

18 October 2018

User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software. The exploitation of this vulnerability allows remote attacker to gain higher privileges.
KLCERT-18-018: Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: User Enumeration

18 October 2018

User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management Software. A remote attacker can find valid users in web applications and use brute force to exploit this vulnerability to find the corresponding password.