βΌ CVE-2023-22461 βΌ
π Read
via "National Vulnerability Database".
The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workaroundsπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0049 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22465 βΌ
π Read
via "National Vulnerability Database".
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45875 βΌ
π Read
via "National Vulnerability Database".
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22463 βΌ
π Read
via "National Vulnerability Database".
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22460 βΌ
π Read
via "National Vulnerability Database".
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.π Read
via "National Vulnerability Database".
β Inside a scammersβ lair: Ukraine busts 40 in fake bank call-centre raid β
π Read
via "Naked Security".
When someone calls you up to warn you that your bank account is under attack - it's true, because THAT VERY PERSON is the one attacking you!π Read
via "Naked Security".
Naked Security
Inside a scammersβ lair: Ukraine busts 40 in fake bank call-centre raid
When someone calls you up to warn you that your bank account is under attack β itβs true, because THAT VERY PERSON is the one attacking you!
ποΈ Car companies massively exposed to web vulnerabilities ποΈ
π Read
via "The Daily Swig".
Grand hack autoπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Car companies massively exposed to web vulnerabilities
Grand hack auto
β Serious Security: Vital cybersecurity lessons from the holiday season β
π Read
via "Naked Security".
Lessons for us all: improve cryptography, fight cybercrime, own your supply chain... and don't steal my data and then pretend you're sorry.π Read
via "Naked Security".
Naked Security
Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches
Lessons for us all: improve cryptography, fight cybercrime, own your supply chainβ¦ and donβt steal my data and then pretend youβre sorry.
π΄ Effective and Efficient Automation for Security Teams π΄
π Read
via "Dark Reading".
Even very short tasks may be worth automating if you do them frequently. Here's how to decide what to tackle first.π Read
via "Dark Reading".
Dark Reading
Effective and Efficient Automation for Security Teams
Even very short tasks may be worth automating if you do them frequently. Here's how to decide what to tackle first.
π΄ What Are Some Ways to Make APIs More Secure? π΄
π Read
via "Dark Reading".
Developers should go beyond the basics to make it harder to exploit the API.π Read
via "Dark Reading".
Dark Reading
What Are Some Ways to Make APIs More Secure?
Developers should go beyond the basics to make it harder to exploit the API.
βΌ CVE-2021-38928 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 210323.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0051 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25926 βΌ
π Read
via "National Vulnerability Database".
Versions of the package window-control before 1.4.5 are vulnerable to Command Injection via the sendKeys function, due to improper input sanitization.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46457 βΌ
π Read
via "National Vulnerability Database".
NASM v2.16 was discovered to contain a segmentation violation in the component ieee_write_file at /output/outieee.c.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22337 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could disclose sensitive information to an authenticated user. IBM X-Force ID: 219507.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43920 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could allow an authenticated user to gain privileges in a different group due to an access control vulnerability in the Sftp server adapter. IBM X-Force ID: 241362.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22352 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 220398.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-46180 βΌ
π Read
via "National Vulnerability Database".
Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the `main` branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46456 βΌ
π Read
via "National Vulnerability Database".
NASM v2.16 was discovered to contain a global buffer overflow in the component dbgdbg_typevalue at /output/outdbg.c.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22338 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 219510.π Read
via "National Vulnerability Database".