Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of December 26 - January 1. Sign up to get these updates right to your inbox!
December 30, 2021
Microsoft
Microsoft SharePoint contains an elevation of privilege vulnerability.
Sources:Microsoft,
NIST
Emerson
Emerson XWEB 300D EVO is vulnerable to an unauthenticated arbitrary file deletion due to path traversal.
Sources:Google Drive,
NIST
IBM
IBM i 7.2, 7.3 and 7.4 are vulnerable to cross-site scripting, which could lead to credentials being disclosed.
Sources:IBM Security,
NIST
December 28, 2021
Zyxel
The TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware and XGS1250 series firmware contain a vulnerability, which could lead to the execution of arbitrary OS commands.
Sources:Zyxel,
NIST
IDEC
User credentials from the communication between the PLC and the software could be obtained; therefore, the PLC user program may be uploaded, altered or downloaded.
Sources:jvn,
IDEC
Safari
Versions of SAFARI Montage contain a reflected cross site scripting vulnerability that could lead to an attacker to execute JavaScript codes.
Sources:Google,
NIST
SuiteCRM
Versions of SuiteCRM contain a cross-site scripting vulnerability, which could lead to an introduction of arbitrary JavaScript.
Sources:SuiteCRM,
Github
FATEK
Versions of FATEK WinProladder contain a stack-based buffer overflow vulnerability that could lead to the execution of arbitrary code.
Sources: