Siemens Patches Major PLC Flaw that Bypasses Its ‘Sandbox’ Protection

0 Comments
Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2021-30461
PUBLISHED: 2021-05-29

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.

CVE-2021-31702
PUBLISHED: 2021-05-29

Frontier ichris through 5.18 mishandles making a DNS request for the hostname in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS.

CVE-2021-31703
PUBLISHED: 2021-05-29

Frontier ichris through 5.18 allows users to upload malicious executable files that might later be downloaded and run by any client user.

CVE-2021-33564
PUBLISHED: 2021-05-29

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandl…

CVE-2021-32635
PUBLISHED: 2021-05-28

### Impact Due to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An att…