Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic’s Factory Control Panel application.
The following versions of Festo Didactic SE MES PC are affected:
- MES PC (CVE-2019-11036, CVE-2023-25727, CVE-2021-2011, CVE-2022-32083, CVE-2021-46668, CVE-2018-19518, CVE-2021-2194, CVE-2019-11049, CVE-2022-31626, CVE-2022-32084, CVE-2022-32088, CVE-2022-27377, CVE-2020-2922, CVE-2019-9638, CVE-2019-11044, CVE-2020-7068, CVE-2020-7069, CVE-2015-2301, CVE-2023-0568, CVE-2022-27458, CVE-2021-21706, CVE-2022-27452, CVE-2020-7071, CVE-2022-27387, CVE-2022-27376, CVE-2019-11043, CVE-2021-2032, CVE-2021-2007, CVE-2019-11045, CVE-2022-27445, CVE-2022-27457, CVE-2022-27384, CVE-2022-23808, CVE-2023-0567, CVE-2019-9025, CVE-2022-27379, CVE-2019-9637, CVE-2021-27928, CVE-2021-21703, CVE-2020-2760, CVE-2021-2166, CVE-2015-2787, CVE-2022-23807, CVE-2020-2752, CVE-2021-46666, CVE-2020-2814, CVE-2020-7065, CVE-2021-21705, CVE-2020-7062, CVE-2019-11039, CVE-2019-11035, CVE-2022-27447, CVE-2019-11046, CVE-2022-27446, CVE-2022-27386, CVE-2019-9639, CVE-2019-11042, CVE-2022-27385, CVE-2020-7059, CVE-2020-7070, CVE-2022-32091, CVE-2015-2348, CVE-2019-9020, CVE-2021-35604, CVE-2022-27444, CVE-2018-14883, CVE-2014-9705, CVE-2020-7064, CVE-2022-27382, CVE-2020-7063, CVE-2021-2372, CVE-2019-9021, CVE-2018-14851, CVE-2022-27448, CVE-2021-46663, CVE-2021-2180, CVE-2014-9709, CVE-2023-25690, CVE-2022-32082, CVE-2022-31629, CVE-2019-9022, CVE-2016-3078, CVE-2023-0662, CVE-2021-2022, CVE-2022-32089, CVE-2019-11048, CVE-2021-46669, CVE-2019-11047, CVE-2022-27383, CVE-2021-46667, CVE-2022-32087, CVE-2022-36760, CVE-2020-7060, CVE-2018-17082, CVE-2019-9640, CVE-2021-46661, CVE-2019-11034, CVE-2022-27456, CVE-2020-7061, CVE-2022-27455, CVE-2021-2144, CVE-2021-2154, CVE-2022-21595, CVE-2019-11040, CVE-2021-2389, CVE-2023-27522, CVE-2020-2812, CVE-2021-46665, CVE-2022-32086, CVE-2022-32085, CVE-2021-21704, CVE-2020-7066, CVE-2022-31628, CVE-2021-46662, CVE-2016-5385, CVE-2022-37436, CVE-2013-6501, CVE-2021-21702, CVE-2019-9024, CVE-2019-9023, CVE-2022-27449, CVE-2021-46664, CVE-2019-11050, CVE-2021-21708, CVE-2022-31625, CVE-2022-32081, CVE-2022-27378, CVE-2006-20001, CVE-2018-19935, CVE-2022-4900, CVE-2018-12882, CVE-2019-9641, CVE-2022-27380, CVE-2022-27381, CVE-2021-21707, CVE-2022-27451, CVE-2020-2780, CVE-2019-11041, CVE-2021-2174)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | Festo Didactic SE | Festo Didactic SE MES PC | Buffer Over-read, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Input Validation, Improper Handling of Values, Uncontrolled Resource Consumption, Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’), Double Free, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Use After Free, Exposure of Sensitive Information to an Unauthorized Actor, Out-of-bounds Read, Improper Null Termination, Incorrect Calculation of Buffer Size, Path Traversal: ‘../filedir’, Reachable Assertion, Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), Use of Password Hash With Insufficient Computational Effort, Out-of-bounds Write, Incorrect Privilege Assignment, Improper Control of Generation of Code (‘Code Injection’), Improper Authentication, Stack-based Buffer Overflow, NULL Pointer Dereference, Missing Initialization of Resource, Null Byte Interaction Error (Poison Null Byte), Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Preservation of Permissions, Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’), Integer Overflow or Wraparound, Uncontrolled Recursion, URL Redirection to Untrusted Site (‘Open Redirect’), Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’), Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), Free of Memory not on the Heap, Use of Uninitialized Resource, Improper Handling of Invalid Use of Special Elements, Improper Use of Validation Framework |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Communications, Critical Manufacturing, Energy
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2019-11036
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-126 Buffer Over-read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2023-25727
In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE-2021-2011
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32083
MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46668
MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-400 Uncontrolled Resource Consumption
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2018-19518
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a “-oProxyCommand” argument.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-88 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-2194
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11049
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-415 Double Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-31626
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-32084
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32088
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27377
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-2922
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2019-9638
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2019-11044
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-170 Improper Null Termination
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2020-7068
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 3.6 | LOW | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L |
CVE-2020-7069
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
CVE-2015-2301
Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-0568
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-131 Incorrect Calculation of Buffer Size
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-27458
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-21706
In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-24 Path Traversal: ‘../filedir’
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
CVE-2022-27452
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-7071
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2022-27387
MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27376
MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11043
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-2032
Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVE-2021-2007
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2019-11045
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-170 Improper Null Termination
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-27445
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27457
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27384
An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-23808
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVE-2023-0567
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-916 Use of Password Hash With Insufficient Computational Effort
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2019-9025
An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-27379
An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9637
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-266 Incorrect Privilege Assignment
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 7.5 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2021-27928
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-94 Improper Control of Generation of Code (‘Code Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-21703
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-2760
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |
CVE-2021-2166
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2015-2787
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-23807
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-287 Improper Authentication
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2020-2752
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46666
MariaDB before 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-2814
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-7065
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-121 Stack-based Buffer Overflow
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-21705
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications – like contacting a wrong server or making a wrong access decision.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2020-7062
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11039
Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2019-11035
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2022-27447
MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11046
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren’t ASCII numbers. This can read to disclosure of the content of some memory locations.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2022-27446
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27386
MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9639
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-909 Missing Initialization of Resource
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2019-11042
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H |
CVE-2022-27385
An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-7059
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2020-7070
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2022-32091
MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2015-2348
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-626 Null Byte Interaction Error (Poison Null Byte)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2019-9020
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-35604
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H |
CVE-2022-27444
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2018-14883
An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 7.5 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2014-9705
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2020-7064
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L |
CVE-2022-27382
MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-7063
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-281 Improper Preservation of Permissions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2021-2372
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9021
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2018-14851
exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 5.5 | MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
CVE-2022-27448
There is an Assertion failure in MariaDB Server v10.9 and below via ‘node->pcur->rel_pos == BTR_PCUR_ON’ at /row/row0mysql.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46663
MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-2180
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2014-9709
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.1 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2023-25690
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule “^/here/(.*)” “http://example.com:8080/elsewhere?$1”; [P] ProxyPassReverse /here/ http://example.com:8080/Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-444 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-32082
MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-31629
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim’s browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
CVE-2019-9022
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 7.5 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2016-3078
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-190 Integer Overflow or Wraparound
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-0662
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-400 Uncontrolled Resource Consumption
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32089
MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11048
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-400 Uncontrolled Resource Consumption
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVE-2021-46669
MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11047
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
CVE-2022-27383
MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46667
MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-190 Integer Overflow or Wraparound
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32087
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-36760
Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-444 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVE-2020-7060
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2018-17082
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a “Transfer-Encoding: chunked” request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 6.1 | MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVE-2019-9640
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2021-46661
MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11034
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2022-27456
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-7061
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2022-27455
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-2144
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-2154
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-21595
Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11040
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVE-2021-2389
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2023-27522
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-444 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2020-2812
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46665
MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32086
MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-32085
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-229 Improper Handling of Values
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-21704
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-7066
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero () character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-170 Improper Null Termination
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
CVE-2022-31628
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress “quines” gzip files, resulting in an infinite loop.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-674 Uncontrolled Recursion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46662
MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2016-5385
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(‘HTTP_PROXY’) call or (2) a CGI configuration of PHP, aka an “httpoxy” issue.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-37436
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2013-6501
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2021-21702
In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-9024
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 7.5 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2019-9023
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-27449
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-617 Reachable Assertion
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-46664
MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11050
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
CVE-2021-21708
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-31625
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-590 Free of Memory not on the Heap
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-32081
MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27378
An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2006-20001
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-787 Out-of-bounds Write
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2018-19935
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-476 NULL Pointer Dereference
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2018-12882
exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-416 Use After Free
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.0 | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2019-9641
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-908 Use of Uninitialized Resource
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-27380
An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2022-27381
An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-21707
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-159 Improper Handling of Invalid Use of Special Elements
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2022-27451
MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/field_conv.cc.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-1173 Improper Use of Validation Framework
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2020-2780
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-400 Uncontrolled Resource Consumption
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2019-11041
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H |
CVE-2021-2174
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Affected Products
Festo Didactic SE MES PC
Festo Didactic SE
Festo Didactic SE MES PC shipped with Windows 10
known_affected
Remediations
Vendor fix
Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs. Contact technical support at [email protected] to obtain the current version of Factory Control Panel which includes fixes for these vulnerabilities.
Relevant CWE: CWE-20 Improper Input Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
Acknowledgments
- CERT@VDE helped coordinate and support this publication
General recommendation
Festo Didactic offers products with security functions that aid the safe operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks from cyber threats, a comprehensive security concept must be implemented and continuously updated. Festo products and services only constitute one part of such a concept. The customer is responsible for preventing unauthorized access to their plants, systems, machines and networks. Systems, machines and components should only be connected to a company’s network or the Internet if and as necessary, and only when the suitable security measures (e.g., firewalls and network segmentation, defense-in-depth) are in place. Failure to ensure adequate security measures when connecting the product to the network can result in vulnerabilities which allow unauthorized, remote access to the network – even beyond the product boundaries. This access could be abused to incur a loss of data or manipulate or sabotage systems. Typical forms of attack include but are not limited to: Denial-of-Service (rendering the system temporarily non-functional), remote execution of malicious code, privilege escalation (executing malicious code with higher system privileges than expected), ransomware (encryption of data and demanding payment for decryption). In the context of industrial systems and machines this can also lead to unsafe states, posing a danger to people and equipment. Furthermore, Festo guidelines on suitable security measures should be observed. Festo products and solutions are constantly being developed further in order to make them more secure. Festo strongly recommends that customers install product updates as soon as they become available and always use the latest versions of its products. Any use of product versions that are no longer supported or any failure to install the latest updates may render the customer vulnerable to cyber-attacks.
Disclaimer
Festo assumes no liability whatsoever for indirect, collateral, accidental or consequential losses that occur by the distribution and/or use of this document or any losses in connection with the distribution and/or use of this document. All information published in this document is provided free of charge and on good faith by Festo. Insofar as permissible by law, however, none of this information shall establish any warranty, guarantee, commitment, or liability on the part of Festo.nnNote: In no case does this information release the operator or responsible person from the obligation to check the effect on his system or installation before using the information and, in the event of negative consequences, not to use the information.nnIn addition, the actual general terms, and conditions for delivery, payment and software use of Festo, available under http://www.festo.com and the special provisions for the use of Festo Security Advisory available at https://www.festo.com/psirt shall apply.
Impact
The vulnerabilities covered by this advisory have a broad range of impacts ranging from denial-of-service to disclosure or manipulation/deletion of information. Given the intended usage of MES PCs for didactic purposes in controlled lab environments, separate from productive systems, it never comes into contact with sensitive information. Therefore the impact is reduced to limited availability of the system.
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of Festo SE & Co. KG FSA-202402 from a direct conversion of the vendor’s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA’s website as a means of increasing visibility and is provided “as-is” for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Festo SE & Co. KG directly for any questions regarding this advisory.
Revision History
- Initial Release Date: 2024-02-27
| Date | Revision | Summary |
|---|---|---|
| 2024-02-27 | 1 | Initial version |
| 2025-11-04 | 2 | Adjust to VDE template. Add missing CWE-IDs if available. Updated legal disclaimer to add references to special provisions. |
| 2025-12-08 | 3 | Add all missing CWE identifier and CVSS 3.x scores. |
| 2026-01-27 | 4 | Initial Republication of Festo SE & Co. KG FSA-202402 advisory |
Leave a Reply