The NCCIC has published an advisory on cross-site request forgery, information exposure through discrepancy, cross-site scripting, command injection, information exposure through source code, use of hard-coded cryptographic key, SQL injection, authentication bypass using an alternate path or channel, and inadequate encryption strength vulnerabilities in Computrols CBAS Web. Numerous versions of this product are affected. Successful exploitation of these vulnerabilities could allow unauthorized actions with administrative privileges, disclosure of sensitive information, execution of code within a user’s browser, execution of unauthorized OS commands, unauthorized access to the database, execution of unauthorized SQL commands, authentication bypass, or decryption of passwords. Computrols recommends users upgrade to the latest versions to address the vulnerability. The NCCIC has also provided a series of measures to address this vulnerability. Read the advisory at NCCIC/ICS-CERT.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!