[Canvas] Gleg Agora, SCADA, Def, ZDA updates

YG audit at gleg.net
Sat Sep 11 18:15:45 UTC 2021

Dear colleagues, new modules available for download.

SCADA 2.17 :
  - WebHMI Privilege Escalation AFU and RCE.  [1Day]
  - MELSOFT Mediative Server Denial Of Service [1Day]
  - Reliance4 SCADA Web Server Denial of Service [1Day]
  - Schneider Electric Concept 2.6XL Remote Arbitrary File Overwrite [1Day]
  - Citect SCADA (Facilities) ciTextBox.ocx Remote File Create weakness. pub

Agora 3.16:
  - AGG Private Business Exchange Data Logger Directory Traversal. [1day]
  - ActiveBarcode Generator file overwrite vulnerability [1day]
  - Codejock Xtreme Suite Pro ActiveX 15.3.1 Retail Remote File Create  
Vulnerability [1day]
  - GLPI 9.5 Authenticated Stored CSS Injection [1day]
  - LibreNMS 21.3.0 Persistent Cross-Site Scripting [1day]
  - Node-RED-Dashboard before 2.26.2 Directory Traversal  
Vulnerability. CVE-2021-3223

DefPack 1.70:
  - COMMAX Smart Home Ruvie CCTV Bridge DVR Service Config Write DoS.  
  - Foscam Cameras Denial of service of the RTSP video feed. pub
  - Genie Access WIP3BVAF IP Camera Directory Traversal Vulnerability. pub
  - Karel IP Phone IP1211 Web Management Panel Directory Traversal  
Vulnerability. pub
  - Netgear DGN2200v1 and other Bezeq based devices Remote Command  
Execution Unauthenticated. pub
  - RConfig 3.9.6 Arbitrary File Upload to RCE . pub

ZDA 1.36 extra exploits:
  - ARSoft Visual IO SCADA DDE Server Denial of Service [0Day]
  - Pult Online v270 Information leak [0Day]
  - Unitronics VisiLogic_C File Create Vulnerability [0Day]
  - WiSCADA TsDatabase 0-Day Denial of Service [0Day]
  - IPS Community Suite <= PHP Code Injection Vulnerability.  
  - osCommerce Remote Code Execution. pub
  - Webmin 1.973 Cross-Site Request Forgery to RCE. CVE-2021-31761

Happy pentesting,
Gleg Security team
Follow us on https://twitter.com/GlegExploitPack

More information about the Canvas mailing list