Security bulletins

Vulnerability CVE-2024-1104 was found in Topkapi Webserv2 Web Server.
Brute force login attacks can cause a temporary denial of service of the web site.
A problem was found in the brute force prevention mecanism, this can make the web site unavailable for a short period of time for all users, including already logged-in users. Possible workaround is to throttle requests with a reverse-proxy.
Affects Topkapi Webserv2 up to version 6.2.4776, last affected version. Fixed in version 6.2.4777. Please update the Webserv2 component.

Vulnerability CVE-2023-50356 was foud in the LDAPS component, exclusively in mode NOVELL or SYNOLOGY. Connections to LDAPS in mode NOVELL and SYNOLOGY are vulnerable to a Man-in-the-middle attack, because of improper certificate validation.

Active Directory mode is NOT affected. Affects Areal Topkapi Vision Server versions up to 6.2.4718 included. First unaffected fixed release 6.2.4719. This vulnerability could result in disclosure of user names and passwords. Please update if using a Novell/Synology LDAP.

Component "Webserv1" is possibly affected of cross site scripting vulnerabilities through unchecked parameters in web site. This affect all version of "Webserv1" <= 6.1 ; Vulnerability was reported as CVE-2023-50357 (https://cert.vde.com/en/advisories/weakness/CVE-2023-50357/).

This vulnerability theorically offers the possibility to inject malicious data in the web site. A low privileged user, because of unsufficiently check parameters, could attack the system via other users's access rights.
This vulnerability could result in disclosure or modification of process information via privilege gain.

Product "Webserv1" is END-OF-LIFE. This component is replaced by "Webserv2" web server, which is not affected by the CVE, and is available with scada since version 6.0. Please upgrade to replacement product.