[VIM] [CVENEW] New CVE CANs: 2013/03/21 10:00 ; count=8

coley at mitre.org coley at mitre.org
Thu Mar 21 09:04:25 CDT 2013


======================================================
Name: CVE-2011-4515
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4515
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20111122
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

Siemens WinCC (TIA Portal) 11 uses a reversible algorithm for storing
HMI web-application passwords in world-readable and world-writable
files, which allows local users to obtain sensitive information by
leveraging (1) physical access or (2) Sm at rt Server access.



======================================================
Name: CVE-2013-0665
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0665
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-01.pdf

Schweitzer Engineering Laboratories (SEL) AcSELerator QuickSet before
5.12.0.1 uses weak permissions for its Program Files directory, which
allows local users to replace executable files, and consequently gain
privileges, via standard filesystem operations.



======================================================
Name: CVE-2013-0667
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0667
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

Cross-site scripting (XSS) vulnerability in the HMI web application in
Siemens WinCC (TIA Portal) 11 allows remote attackers to inject
arbitrary web script or HTML via a crafted URL.



======================================================
Name: CVE-2013-0668
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0668
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

Multiple cross-site scripting (XSS) vulnerabilities in the HMI web
application in Siemens WinCC (TIA Portal) 11 allow remote attackers to
inject arbitrary web script or HTML via a crafted URL.



======================================================
Name: CVE-2013-0669
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0669
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

The HMI web application in Siemens WinCC (TIA Portal) 11 allows remote
authenticated users to cause a denial of service (daemon crash) via a
crafted HTTP request.



======================================================
Name: CVE-2013-0670
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0670
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

CRLF injection vulnerability in the HMI web application in Siemens
WinCC (TIA Portal) 11 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via a crafted URL.



======================================================
Name: CVE-2013-0671
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0671
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

Directory traversal vulnerability in Siemens WinCC (TIA Portal) 11
allows remote authenticated users to read HMI web-application source
code and user-defined scripts via a crafted URL.



======================================================
Name: CVE-2013-0672
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0672
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121219
Category: 
Reference: MISC:http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Reference: CONFIRM:http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

Cross-site scripting (XSS) vulnerability in the HMI web application in
Siemens WinCC (TIA Portal) 11 allows remote authenticated users to
inject arbitrary web script or HTML via unspecified data.





More information about the VIM mailing list