Security Flaws & Fixes - W/E - 1/25/19

Adobe Boots XSS Vulnerabilities in Experience Manager (01/22/2019)
Adobe posted updates for Experience Manager to remedy reflected cross-site scripting (XSS) and stored XSS bugs. The vendor also fixed a stored XSS flaw in its Experience Manager Forms.

Apple Updates Multiple Products, Including Safari and iOS (01/22/2019)
Updates for Apple products have been released to mitigate risks from vulnerabilities in earlier versions. The vendor issued new versions of Safari, watchOS, tvOS, macOS, and iOS on January 22.

Cisco Releases Advisories to Cover Security Issues in Products (01/23/2019)
Multiple Cisco advisories have been issued to address vulnerabilities across the vendor's product lines. The most critical issue is a buffer overflow condition in the vContainer of the Cisco SD-WAN Solution.

ControlByWeb X-320M Requires Firmware Update (01/21/2019)
X-320M, a Web-enabled weather station from ControlByWeb, is vulnerable to both cross-site scripting and improper authentication issues. A firmware update has been released to alleviate these vulnerabilities, according to an ICS-CERT advisory.

Drager Patches Critical Bugs in Patient Monitoring Devices (01/23/2019)
Drager patient monitoring medical devices have been found to contain multiple vulnerabilities. Patches were issued in December, according an advisory from the ICS-CERT.

Kaspersky Spots Bugs in Moxa's Industrial IoT Platform (01/22/2019)
Kaspersky Lab's industrial control systems team identified seven previously unknown vulnerabilities in Moxa's ThingsPro Suite, an industrial Internet of Things (IoT) platform. The bugs could have allowed threat actors to gain highly privileged access to industrial IoT gateways and execute malicious commands. All issues were reported to Moxa and patched.

Security Issues Detected in Omron CX-Supervisor (01/21/2019)
Omron's CX-Supervisor is affected by multiple vulnerabilities. The vendor released Version 3.5.0.11of CX-Supervisor to address the reported vulnerabilities.

Twitter: Bug Exposed Tweets for Over Four Years (01/21/2019)
A bug in Twitter may have exposed viewable tweets for more than four years, the social media entity said in a blog post. "You may have been impacted by this issue if you had protected tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019," Twitter said. The issue has since been fixed.

Unofficial Micropatches Issued for Three Windows Bugs (01/21/2019)
The team at ACROS Security released three micropatches for critical Windows vulnerabilities as part of its 0patch service. The micropatches alleviate denial-of-service, file read, and code execution vulnerabilities - all of which have yet to be fixed by Microsoft. The micropatches are available for free along with the patches' source code.

Unpatched Privilege Access Bug Found in Cisco Small Business Switches Software (01/21/2019)
vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. Patches are not available at this time.

Update Fixes Vulnerability in ABB CP400 Panel Builder TextEditor 2.0 (01/21/2019)
An improper input validation has been identified in ABB's CP400 Panel Builder TextEditor 2.0. The latest version, 2.1.7.21, remedies this vulnerability.

Upgraded Versions Remedy Security Holes in Facility Explorer (01/23/2019)
Johnson Controls' Facility Explorer could be abused by path traversal and improper authentication vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to read, write, and delete sensitive files to gain administrator privileges in the Facility Explorer system. The vendor provided upgrades that resolve these issues.