ICS-CERT published an advisory on one of my reports this week –
Vulnerability: Resource Consumption, Cross-Site Scripting, Information Exposure
The following versions of VTScada, an HMI SCADA software, are affected:
VTScada Versions prior to 11.2.26
Read on for details.
On a recent pentest, I came across CIMA DocuClass Enterprise Content Management application. I found multiple security vulnerabilities which can lead to unauthorized access to stored documents, access to underlying database, and code execution on the server via SQL Injection.
No response from vendor as expected. Read on.
[ICS] XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability
XZERES is a US-based energy company that maintains offices in several countries around the world, including the UK, Italy, Japan, Vietnam, Philippines, and Myanmar.
The affected product, 442SR Wind Turbine, has a web-based interface system. According to XZERES, the 442SR is deployed across the Energy sector. XZERES estimates that this product is used worldwide.
Reported multiple vulnerabilities in [ICS] Exploitation details for eWON sa Industrial router. Response from eWON was not so surprisingly full of ignorance.
CERT published a Vulnerability Note VU#391604, on my report for multiple vulnerabilities in ZTE ZXHN H108N R1A routers.
CERT published an Advisory ICSA-15-286-01, on my vulnerability report for Nordex’s NC2 Wind Farm Portal application.
[ICS] Nordex Control 2 (NC2) SCADA V16 and prior versions – XSS Vulnerability
CVE #: CVE-2015-6477
CERT has published a Vulnerability Note VU#870744 detailing my report for multiple vulnerabilities in ZyXEL PMG5318-B20A and P-660HW-T1 routers
New advisory / exploit posted on Exploit-db & Packetstorm:
Cross Site Scripting (XSS) in ESPN Cricinfowebsite
Cross Site Scripting (XSS) in ESPN Global website