Services - Security Bulletins

Security Bulletins

Safety is a crucial concern for SCADA users, and we prioritize it at AREAL.

This page lists security bulletin publications related to our Topkapi Vision software suite. Our cybersecurity strategy allows you to stay informed about vulnerabilities, necessary updates, and possible workarounds.

The technical support team will provide you with a contact to securely report any vulnerabilities.

Vulnerability Information

Flux RSS
Title Releases Description Last update Additional Information
CVE-2024-1104
Topkapi Webserv2 up to version 6.2.4776
Vulnerability CVE-2024-1104 was found in Topkapi Webserv2 Web Server.
Brute force login attacks can cause a temporary denial of service of the web site.
A problem was found in the brute force prevention mecanism, this can make the web site unavailable for a short period of time for all users, including already logged-in users. Possible workaround is to throttle requests with a reverse-proxy.
Affects Topkapi Webserv2 up to version 6.2.4776, last affected version. Fixed in version 6.2.4777. Please update the Webserv2 component.

n/a

CVE-2023-50356
versions up to 6.2.4718 included
Vulnerability CVE-2023-50356 was foud in the LDAPS component, exclusively in mode NOVELL or SYNOLOGY. Connections to LDAPS in mode NOVELL and SYNOLOGY are vulnerable to a Man-in-the-middle attack, because of improper certificate validation.

Active Directory mode is NOT affected. Affects Areal Topkapi Vision Server versions up to 6.2.4718 included. First unaffected fixed release 6.2.4719. This vulnerability could result in disclosure of user names and passwords. Please update if using a Novell/Synology LDAP.

n/a

CVE-2023-50357
All version of "Webserv1" <= 6.1
Component "Webserv1" is possibly affected of cross site scripting vulnerabilities through unchecked parameters in web site. This affect all version of "Webserv1" <= 6.1 ; Vulnerability was reported as CVE-2023-50357 (https://cert.vde.com/en/advisories/weakness/CVE-2023-50357/).

This vulnerability theorically offers the possibility to inject malicious data in the web site. A low privileged user, because of unsufficiently check parameters, could attack the system via other users's access rights.
This vulnerability could result in disclosure or modification of process information via privilege gain.

Product "Webserv1" is END-OF-LIFE. This component is replaced by "Webserv2" web server, which is not affected by the CVE, and is available with scada since version 6.0. Please upgrade to replacement product.

n/a