Davide Quarta

Pesquisador dePolitecnico di Milano
#10501de 53,638
26.4CVSS total
Vulnerabilidades · 3
Alta
2
Crítica
1
PT-2018-14086
8.8
2018-11-02
Losant · Losant Arduino Mqtt Client · CVE-2018-17614
**Name of the Vulnerable Software and Affected Versions** Losant Arduino MQTT Client versions prior to V2.7 **Description** This issue allows remote attackers to execute arbitrary code on vulnerable installations. User interaction is not required to exploit this issue. The specific flaw exists within the parsing of MQTT PUBLISH packets, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the current process. **Recommendations** For versions prior to V2.7, update to version V2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the MQTT PUBLISH packet parsing functionality until a patch is available. Avoid using the Losant Arduino MQTT Client with untrusted MQTT connections until the issue is resolved.
PT-2018-10019
9.8
2018-07-11
Universal Robots · Universal Robots Robot Controllers · CVE-2018-10633
**Name of the Vulnerable Software and Affected Versions** Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100 **Description** The issue concerns the use of hard-coded credentials in the software, which could allow an attacker to reset passwords for the controller. **Recommendations** For Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, consider changing the hard-coded credentials to unique, secure passwords to prevent unauthorized access.
PT-2018-10699
7.8
2018-06-13
Npm · Mosca · CVE-2018-11615
**Name of the Vulnerable Software and Affected Versions** npm mosca version 2.8.1 **Description** This issue allows remote attackers to deny service on vulnerable installations. Authentication is not required to exploit this issue. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash, allowing an attacker to deny access to the target system. **Recommendations** For npm mosca version 2.8.1, update to a version that fixes the regular expression parsing issue to prevent denial-of-service attacks. As a temporary workaround, consider restricting access to the topic processing functionality until a patch is available.