Under certain circumstances, opening a specially crafted 7-zip package can exploit an integer
underflow vulnerability in 7-zip versions up to and including 22.x
This vulnerability allows for a remote code execution, resulting in unauthorized (remote) access to,
change of data or disruption of the whole service.



The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60b) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes this vulnerability is available.
Machines with a running and correctly installed mGuard hardware firewall cannot be exploited by this vulnerability if used as intended (according to the manual).

Update A, 2023-11-13

Removed CVE-2023-4701 because it was revoked.



TruControl laser control software from versions 1.60.0 to 3.40.0 use a vulnerable  X.Org server versions. The affected X.Org vulnerability is not validating the request length properly for the handler “ProcXkbSetGeometry”. An authenticated Attacker could craft a request which could lead to memory out-of bounds write.



A number of TRUMPF software tools use the OPC UA Server in C++ based OPC UA SDK by Unified Automation. The application contains several vulnerabilities, which enable an attacker to send malicious data to the application, resulting in a Denial-of-Service.



A service function in the stated TRUMPF products is exposed without necessary authentication. Execution of this function may result in unauthorized access to, change of data or disruption of the whole service.



TruControl laser control software from versions 1.04 to 3.0.0 use codesys runtime versions affected by multiple CVEs:

CVE-2021-29242, CVE-2021-29241, CVE-2019-5105, CVE-2020-7052, CVE-2019-9012, CVE-2019-9010, CVE-2019-9009, CVE-2018-10612

In addition to the CVEs listed above, the affected products are also affected by the following three vulnerabilites without a CVE ID:

CODESYS Advisory 2018-07

A crafted communication request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition.

CVSSv3.0 base score 6.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Link to advisory


CODESYS Advisory 2018-04

The CODESYS runtime system allows to access files outside the restricted working directory of the controller by online services

CVSSv3.0 base score 9.9
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Link to advisory


CODESYS Advisory 2017-03

A crafted request may cause an access violation in the affected CODESYS products and may result in a denial-of-service condition

CVSSv3.0 base score 7.5
CVSSv3.0 Vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Link to advisory



TruControl laser control software from versions 2.14.0 to 3.14.0 use sudo versions affected by CVE-2021-3156. The affected sudo has a heap-based buffer overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.



Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0