[Canvas] Gleg Agora, SCADA, Def, Med and ZDA updates

YG audit at gleg.net
Mon Apr 5 10:52:39 UTC 2021

Dear colleagues, new modules available for download.

ZDA 1.32:  ICS 0days in this release
  - SmartPTT SCADA Remote Code Execution [0Day]
  - SmartPTT Arbitrary File Upload [0Day]
  - WebHMI 4.0.7348 Denial of Service [0Day]

2.12 SCADA+ :
  - Advantech iView Missing Authentication RCE (FIXED). CVE-2021-22652
  - ADwin software package CD Remote File Create  
Vulnerability unsafe ActiveX method [1Day]
  - Beckhoff TwinCAT 3x EventConfigurator Remote Code Execution  
Vulnerability unsafe ActiveX method [1Day]
  - Schneider Electric ProWORX 32 DXFREADERlib DXFReader.ocx Remote  
File Create Vulnerability unsafe ActiveX method  [1Day]

1.65 DefPAck:
  - ZeroShell Linux Router 3.9.3 OS Command Injection. CVE-2020-29390
  - Remote Code Exection. CVE-2020-35578
  - Intelbras Router RF 301K 1.1.2 - Authentication Bypass. pub
  - HIRSCHMANN GECKO Lite Managed switch Configuration Disclosure. pub
  - Humax Wi-Fi Router HG100R credential disclosure vulnerability. pub

Agora 3.11:
  - Tekla Web Viewer Remote File Create Vulnerability [1day]
  - Sonatype Nexus 3.21.1 Remote Code Execution. CVE-2020-10199
  - EyesOfNetwork 5.3 Local File Inclusion. pub
  - Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to  
8.5.56 and 7.0.27 to 7.0.104 DoS. CVE-2020-13935.
  - Apache Flink 1.11.x Unauthenticated Arbitrary File Read  
Vulnerability. 2020-17519

MedPack 1.40
  - DicomObjects.COM C++ ActiveX library Remote File Create  
Vulnerability. [1day]
  - MediSoft Network Professional Remote Arbitrary File Overwrite. [1day]

Happy pentesting,
Gleg`s Security team
Follow us on https://twitter.com/GlegExploitPack

More information about the Canvas mailing list