CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-25140
https://notcve.org/view.php?id=CVE-2024-25140
A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This is potentially unwanted, e.g., because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised. NOTE: the vendor's position is "we do not have EV cert, so we use test cert as a workaround." Insertion into Trusted Root Certification Authorities was the originally intended behavior, and the UI ensured that the certificate installation step (checked by default) was visible to the user before proceeding with the product installation. Una instalación predeterminada de RustDesk 1.2.3 en Windows coloca un certificado WDKTestCert bajo Autoridades de certificación raíz confiables con uso de clave mejorado de firma de código (1.3.6.1.5.5.7.3.3), válido desde 2023 hasta 2033. • https://github.com/rustdesk/rustdesk/discussions/6444 https://news.ycombinator.com/item?id=39256493 https://serverfault.com/questions/837994 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24682 – Automation Studio and PVI Multiple unquoted service path vulnerabilities
https://notcve.org/view.php?id=CVE-2020-24682
Unquoted Search Path or Element vulnerability in B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI allows Target Programs with Elevated Privileges.This issue affects Automation Studio: from 4.0 through 4.6, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP; NET/PVI: from 4.0 through 4.6, from 4.7.0 before 4.7.7, from 4.8.0 before 4.8.6, from 4.9.0 before 4.9.4. Vulnerabilidad de elemento o ruta de búsqueda sin comillas en B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI permite programas de destino con privilegios elevados. Este problema afecta a Automation Studio: desde 4.6.0 hasta 4.6.X, desde 4.7.0 antes de 4.7.7 SP , desde 4.8.0 antes de 4.8.6 SP, desde 4.9.0 antes de 4.9.4 SP; NET/PVI: desde 4.6.0 hasta 4.6.X, desde 4.7.0 antes de 4.7.7, desde 4.8.0 antes de 4.8.6, desde 4.9.0 antes de 4.9.4. • https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf • CWE-428: Unquoted Search Path or Element •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-24681 – Automation Studio and PVI Multiple incorrect permission assignments for services
https://notcve.org/view.php?id=CVE-2020-24681
Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP. La asignación de permisos incorrecta para la vulnerabilidad de recursos críticos en B&R Industrial Automation Automation Studio permite la escalada de privilegios. Este problema afecta a Automation Studio: desde 4.6.0 hasta 4.6.X, desde 4.7.0 antes de 4.7.7 SP, desde 4.8.0 antes de 4.8.6 SP, desde 4.9.0 anterior a 4.9.4 SP. • https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-24482
https://notcve.org/view.php?id=CVE-2024-24482
Aprktool before 2.9.3 on Windows allows ../ and /.. directory traversal. Aprktool anterior a 2.9.3 en Windows permite ../ y /.. directory traversal. • https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-vgwr-4w3p-xmjv • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0589
https://notcve.org/view.php?id=CVE-2024-0589
Cross-site scripting (XSS) vulnerability in the entry overview tab in Devolutions Remote Desktop Manager 2023.3.36 and earlier on Windows allows an attacker with access to a data source to inject a malicious script via a specially crafted input in an entry. Vulnerabilidad de cross site scripting (XSS) en la pestaña de descripción general de la entrada en Devolutions Remote Desktop Manager 2023.3.36 y versiones anteriores en Windows permite a un atacante con acceso a una fuente de datos inyectar un script malicioso a través de un input especialmente manipulado en una entrada. • https://devolutions.net/security/advisories/DEVO-2024-0001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •