Ali Abbasi

Name of the Vulnerable Software and Affected Versions: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02) ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior ICONICS GenBroker32 version 9.5 and prior Description: A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. The issue is related to deficiencies in the deserialization mechanism, which can be exploited by a remote attacker to cause a denial-of-service condition. Recommendations: For Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, update to a version that fixes the deserialization issue. For Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02), update to a version that fixes the deserialization issue. For ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior, update to a version that fixes the deserialization issue. For ICONICS GenBroker32 version 9.5 and prior, update to a version that fixes the deserialization issue. As a temporary workaround, consider restricting access to the deserialization mechanism until a patch is available.

Name of the Vulnerable Software and Affected Versions: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02) ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior ICONICS GenBroker32 version 9.5 and prior Description: A deserialization vulnerability exists, allowing remote code execution and a denial-of-service condition due to a specially crafted communication packet sent to the affected devices. This issue is related to the restoration of an untrusted data structure in memory, which can be exploited by a remote attacker to execute arbitrary code or cause a denial-of-service. Recommendations: For Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, update to a version later than 4.02C (10.95.208.31) to resolve the issue. For Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02), update to a version later than 3.00A (9.50.255.02) to resolve the issue. For ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior, update to a version later than 10.96 to resolve the issue. For ICONICS GenBroker32 version 9.5 and prior, update to a version later than 9.5 to resolve the issue. As a temporary workaround, consider restricting access to the deserialization functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Triangle MicroWorks SCADA Data Gateway versions 2.41.0213 through 4.0.122 Triangle MicroWorks SCADA Data Gateway versions 3.02.0697 through 4.0.122 **Description** The issue allows remote attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, resulting in a type confusion condition. Authentication is not required to exploit this issue. This is only applicable to installations using DNP3 Data Sets. **Recommendations** For versions 2.41.0213 through 4.0.122, consider restricting access to the DNP3 Data Sets until a patch is available. For versions 3.02.0697 through 4.0.122, consider implementing additional validation for user-supplied data to prevent type confusion conditions. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Triangle MicroWorks SCADA Data Gateway versions 2.41.0213 through 4.0.122 Triangle MicroWorks SCADA Data Gateway versions 3.02.0697 through 4.0.122 **Description** The issue allows remote attackers to disclose sensitive information due to the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. Authentication is not required to exploit this issue. This is only applicable to installations using DNP3 Data Sets. **Recommendations** For versions 2.41.0213 through 4.0.122, consider restricting access to the DNP3 Data Sets until a patch is available. For versions 3.02.0697 through 4.0.122, consider implementing additional validation for user-supplied data to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Green Hills INTEGRITY RTOS version 5.0.4 **Description** An issue was discovered in the Interpeak IPCOMShell TELNET server. The main shell handler function uses the value of the environment variable `ipcom.shell.greeting` as the first argument to `printf()`, resulting in a user-controlled format string during login. This leads to an information leak of memory addresses. **Recommendations** For Green Hills INTEGRITY RTOS version 5.0.4, consider restricting the ability to set the `ipcom.shell.greeting` environment variable using the sysvar command to minimize the risk of exploitation. As a temporary workaround, avoid using the `printf()` function with user-controlled input until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Interpeak IPWEBS on Green Hills INTEGRITY RTOS version 5.0.4 **Description** The issue is related to the allocation of 60 bytes for the HTTP Authentication header in Interpeak IPWEBS on Green Hills INTEGRITY RTOS. When copying this header to parse, it does not check the size of the header, leading to a stack-based buffer overflow. **Recommendations** For Interpeak IPWEBS on Green Hills INTEGRITY RTOS version 5.0.4, consider implementing size checks when copying the HTTP Authentication header to prevent buffer overflows. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Green Hills INTEGRITY RTOS version 5.0.4 **Description** An issue was discovered in the Interpeak IPCOMShell TELNET server. The undocumented shell command "prompt" sets the shell's prompt value, which is used as a format string input to printf, resulting in an information leak of memory addresses. **Recommendations** For Green Hills INTEGRITY RTOS version 5.0.4, consider disabling the use of the `prompt` command in the Interpeak IPCOMShell TELNET server as a temporary workaround until a patch is available. Restrict access to the TELNET server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Green Hills INTEGRITY RTOS version 5.0.4 **Description** An issue in the Interpeak IPCOMShell TELNET server allows an attacker to forge a path containing format string modifiers when using the pwd command. This results in an information leak of memory addresses due to the lack of proper checks on the current working directory path used as an argument to printf(). **Recommendations** For Green Hills INTEGRITY RTOS version 5.0.4, consider restricting access to the pwd command in the Interpeak IPCOMShell TELNET server until a proper fix is applied to prevent the evaluation of custom format strings. As a temporary workaround, avoid using the pwd command with untrusted input to minimize the risk of information leakage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Green Hills INTEGRITY RTOS version 5.0.4 **Description** A heap-based buffer overflow issue exists in the Interpeak IPCOMShell TELNET server. This occurs when a custom modifier is used to display specific information, such as a process ID, IP address, or current working directory, triggering modifier expansion. The overflow causes memory corruption or a crash and also leaks memory address information. **Recommendations** For Green Hills INTEGRITY RTOS version 5.0.4, consider disabling the custom modifier expansion in the Interpeak IPCOMShell TELNET server as a temporary workaround to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mosaic Commerce (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `cid` parameter in the category.php file. This can lead to unauthorized access and manipulation of database content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostNuke v4bJournal module (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in a `journal comment` action in the `index.php` file of the v4bJournal module. **Recommendations** For the v4bJournal module, consider restricting access to the `index.php` file until a patch is available, and avoid using the `id` parameter in the `journal comment` action to minimize the risk of exploitation.