All news with #cross-site scripting tag

Zenitel TCIV-3+ Multiple Remote Code Execution Flaws

⚠️ Zenitel has disclosed multiple high‑severity vulnerabilities in the TCIV-3+ intercom device, including three OS command injection flaws, an out‑of‑bounds write, and a reflected XSS. The issues (CVE-2025-64126 through CVE-2025-64130) carry high CVSS ratings — several are scored CVSS v4 10.0 — and can be exploited remotely with low complexity. Zenitel advises upgrading to version 9.3.3.0 or later; CISA recommends isolating devices, minimizing Internet exposure, and applying defensive controls until patches are deployed.

Automated Logic WebCTRL: Open Redirect and XSS Fix

🔒 Automated Logic's WebCTRL servers and related products are affected by an open redirect (CVE-2024-8527) and a reflected XSS vulnerability (CVE-2024-8528) impacting versions 6.1, 7.0, 8.0, and 8.5. The open redirect carries high severity (CVSS v3.1 9.3; v4 8.6) while the XSS stems from an unsanitized "wbs" GET parameter (CVSS v3.1 7.5; v4 5.4). Automated Logic reports remediation in WebCTRL 9.0 and advises upgrades; CISA recommends minimizing device exposure, using firewalls and secure remote access, and following anti-phishing best practices. CISA notes no known public exploitation and states the vulnerabilities are not remotely exploitable as described.