CVE-2022-27237
https://notcve.org/view.php?id=CVE-2022-27237
There is a cross-site scripting (XSS) vulnerability in an NI Web Server component installed with several NI products. Depending on the product(s) in use, remediation guidance includes: install SystemLink version 2021 R3 or later, install FlexLogger 2022 Q2 or later, install LabVIEW 2021 SP1, install G Web Development 2022 R1 or later, or install Static Test Software Suite version 1.2 or later. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en un componente de NI Web Server instalado con varios productos de NI. Dependiendo del producto(s) en uso, la guía de remediación incluye: instalar SystemLink versión 2021 R3 o posterior, instalar FlexLogger 2022 Q2 o posterior, instalar LabVIEW 2021 SP1, instalar G Web Development 2022 R1 o posterior, o instalar Static Test Software Suite versión 1.2 o posterior • https://www.ni.com/en-us/support/documentation/supplemental/22/cross-site-scripting-vulnerability--in-ni-web-server-component.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-2779
https://notcve.org/view.php?id=CVE-2017-2779
An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW 2017, LabVIEW 2016, LabVIEW 2015, and LabVIEW 2014. A specially crafted Virtual Instrument (VI) file can cause an attacker controlled looping condition resulting in an arbitrary null write. An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution. Existe una vulnerabilidad de corrupción de memoria explotable en la funcionalidad de análisis de segmentos RSRC de LabVIEW 2017, LabVIEW 2016, LabVIEW 2015 y LabVIEW 2014. Un archivo de Instrumento Virtual (VI) especialmente diseñado puede causar una condición de bucle controlada por un atacante que resulta en una escritura nula arbitraria. • http://www.ni.com/product-documentation/54099/en http://www.securityfocus.com/bid/100519 https://0patch.blogspot.com/2017/09/0patching-rsrc-arbitrary-null-write.html https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0273 • CWE-787: Out-of-bounds Write •
CVE-2017-2775
https://notcve.org/view.php?id=CVE-2017-2775
An exploitable memory corruption vulnerability exists in the LvVariantUnflatten functionality in 64-bit versions of LabVIEW before 2015 SP1 f7 Patch and 2016 before f2 Patch. A specially crafted VI file can cause a user controlled value to be used as a loop terminator resulting in internal heap corruption. An attacker controlled VI file can be used to trigger this vulnerability, exploitation could lead to remote code execution. Existe una vulnerabilidad de corrupción de memoria explotable en la funcionalidad LvVariantUnflatten en versiones de LabVIEW de 64 bits anterior a versión 2015 SP1 Parche f7 y versiones 2016 anteriores a Parche f2. Un archivo VI especialmente diseñado puede causar que un valor controlado por el usuario sea usado como un terminador de bucle resultando en una corrupción de pila interna. • http://www.ni.com/product-documentation/53778/en http://www.securityfocus.com/bid/97020 http://www.talosintelligence.com/reports/TALOS-2017-0269 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2013-5023
https://notcve.org/view.php?id=CVE-2013-5023
The ActiveX controls in the HelpAsst component in NI Help Links in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allow remote attackers to cause a denial of service by triggering the display of local .chm files. Vulnerabilidad sin especificar en un control ActiveX en el componente HelpAsst en NI Help Links in National Instruments LabWindows/CVI, LabVIEW, y otros productos, tiene un impacto desconocido y vectores de ataque remotos. • http://digital.ni.com/public.nsf/allkb/E6BC4F119D49A97A86257BD3004FE019?OpenDocument http://digital.ni.com/public.nsf/websearch/507DEC9DA57A708186257B3600512623?OpenDocument http://digital.ni.com/public.nsf/websearch/5C87A3AA7300868986257B3600501FE6?OpenDocument •
CVE-2013-5022
https://notcve.org/view.php?id=CVE-2013-5022
Absolute path traversal vulnerability in the 3D Graph ActiveX control in cw3dgrph.ocx in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allows remote attackers to create and execute arbitrary files via a full pathname in an argument to the ExportStyle method, in conjunction with file content in the (1) Caption or (2) FormatString property value. Una vulnerabilidad de salto de ruta (path) en el control de 3D Graph ActiveX en el archivo cw3dgrph.ocx en LabWindows/CVI 2012 SP1 y anteriores, LabVIEW 2012 SP1 y anteriores, y otros productos de National Instruments, permiten a los atacantes remotos crear y ejecutar archivos arbitrarios por medio de una ruta (path) de acceso completa en un argumento para el método ExportStyle, en conjunción con el contenido del archivo en el valor de la propiedad (a) Caption o (b) FormatString. • http://digital.ni.com/public.nsf/allkb/782E4F31442D833186257BD3004AEB47?OpenDocument http://digital.ni.com/public.nsf/websearch/507DEC9DA57A708186257B3600512623?OpenDocument http://digital.ni.com/public.nsf/websearch/C4619A438F7E78E486257B360050BD7D?OpenDocument • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •