CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4601 – Stack-based Buffer Overflow in NI System Configuration Software
https://notcve.org/view.php?id=CVE-2023-4601
18 Oct 2023 — A stack-based buffer overflow vulnerability exists in NI System Configuration that could result in information disclosure and/or arbitrary code execution. Successful exploitation requires that an attacker can provide a specially crafted response. This affects NI System Configuration 2023 Q3 and all previous versions. Existe una vulnerabilidad de desbordamiento del búfer basada en pila en NI System Configuration que podría resultar en la divulgación de información y/o la ejecución de código arbitrario. La ex... • https://www.ni.com/en/support/documentation/supplemental/23/stack-based-buffer-overflow-in-ni-system-configuration.html • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4570 – Improper Restriction in NI MeasurementLink Python Services
https://notcve.org/view.php?id=CVE-2023-4570
05 Oct 2023 — An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service Python package and all previous versions. Una restricción de acceso inadecuada en los servicios de NI MeasurementLink Python podría permitir que un atacante en una red adya... • https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html • CWE-420: Unprotected Alternate Channel •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42718
https://notcve.org/view.php?id=CVE-2022-42718
01 Dec 2022 — Incorrect default permissions in the installation folder for NI LabVIEW Command Line Interface (CLI) may allow an authenticated user to potentially enable escalation of privilege via local access. Los permisos predeterminados incorrectos en la carpeta de instalación para NI LabVIEW Command Line Interface (CLI) pueden permitir que un usuario autenticado habilite potencialmente la escalada de privilegios a través del acceso local. • https://www.ni.com/en-us/support/documentation/supplemental/22/privilege-escalation-in-ni-labview-cli-.html • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35415
https://notcve.org/view.php?id=CVE-2022-35415
16 Sep 2022 — An improper input validation in NI System Configuration Manager before 22.5 may allow a privileged user to potentially enable escalation of privilege via local access. Una comprobación de entrada inapropiada en NI System Configuration Manager versiones anteriores a 22.5, puede permitir a un usuario privilegiado habilitar potencialmente una escalada de privilegios por medio de acceso local • https://ni.com • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2022-27237
https://notcve.org/view.php?id=CVE-2022-27237
21 Apr 2022 — There is a cross-site scripting (XSS) vulnerability in an NI Web Server component installed with several NI products. Depending on the product(s) in use, remediation guidance includes: install SystemLink version 2021 R3 or later, install FlexLogger 2022 Q2 or later, install LabVIEW 2021 SP1, install G Web Development 2022 R1 or later, or install Static Test Software Suite version 1.2 or later. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en un componente de NI Web Server instalado con v... • https://www.ni.com/en-us/support/documentation/supplemental/22/cross-site-scripting-vulnerability--in-ni-web-server-component.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24846 – Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24846
22 Nov 2021 — The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber La función get_query() del plugin Ni WooCommerce Custom Order Status de WordPress versiones anteriores a 1.9.7, usada por la acción AJAX niwoocos_ajax, disponible para... • https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42563
https://notcve.org/view.php?id=CVE-2021-42563
12 Nov 2021 — There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) in versions prior to 18.0 on Windows. This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges. Se presenta una ruta de servicio no citada en el localizador de servicios de NI (nisvcloc.exe) en versiones anteriores a 18.0 en Windows. Esto puede permitir a un usuario local autorizado insertar código arbitrario en la ruta de servicio no citada y escalar privilegios • https://www.ni.com/en-us/support/documentation/supplemental/21/unquoted-service-path-in-ni-service-locator.html • CWE-428: Unquoted Search Path or Element •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38304
https://notcve.org/view.php?id=CVE-2021-38304
17 Sep 2021 — Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access. Una comprobación de entrada inapropiada en National Instruments NI-PAL driver en versiones 20.0.0 y anteriores, puede permitir a un usuario privilegiado permita potencialmente una escalada de privilegios por medio de acceso local • https://www.ni.com/en-us/support/documentation/supplemental/21/improper-input-validation-in-ni-pal.html • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25191
https://notcve.org/view.php?id=CVE-2020-25191
11 Dec 2020 — Incorrect permissions are set by default for an API entry-point of a specific service, allowing a non-authenticated user to trigger a function that could reboot the CompactRIO (Driver versions prior to 20.5) remotely. Unos permisos incorrectos son establecidos por defecto para un punto de entrada de la API de un servicio específico, permitiendo a un usuario no autenticado activar una función que podría reiniciar el CompactRIO remotamente (Driver versiones anteriores a 20.5) • https://us-cert.cisa.gov/ics/advisories/icsa-20-338-01 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5570
https://notcve.org/view.php?id=CVE-2020-5570
28 Apr 2020 — Cross-site scripting vulnerability in Sales Force Assistant version 11.2.48 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo Cross-site scripting en Sales Force Assistant versiones anteriores a 11.2.48, permite a atacantes autenticados remotamente inyectar script web o HTML arbitrario por medio de vectores no especificados. • http://jvn.jp/en/jp/JVN47668991/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •