‼ CVE-2023-23627 ‼
📖 Read
via "National Vulnerability Database".
Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-23620 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, the contents of latest/top routes for restricted tags can be accessed by unauthorized users. This issue is patched in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-23616 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators. Starting in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, a limit of 280 characters has been introduced for membership requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23552 ‼
📖 Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0047 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2023. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22737 ‼
📖 Read
via "National Vulnerability Database".
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-23621 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds.📖 Read
via "National Vulnerability Database".
📢 Bitwarden users raise alarm over 'highly convincing' Google malvertising risks 📢
📖 Read
via "ITPro".
The volume of fake ads impersonating popular software has increased significantly in recent months📖 Read
via "ITPro".
ITPro
Bitwarden users raise alarm over 'highly convincing' Google malvertising risks
The volume of fake ads impersonating popular software has increased significantly in recent months
📢 FBI's landmark Hive ransomware takedown 'a drop in the ocean' 📢
📖 Read
via "ITPro".
A huge win for law enforcement, but the 'hacking back' takedown of Hive's domain is just a small drop in the expansive ransomware ocean📖 Read
via "ITPro".
ITPro
FBI's landmark takedown of Hive ransomware 'unlikely' to land significant impact
A huge win for law enforcement, but the 'hacking back' takedown of Hive's domain is just a small drop in the expansive ransomware ocean
📢 Dutch hacker steals data from virtually entire population of Austria 📢
📖 Read
via "ITPro".
The data was stolen from a misconfigured cloud database found by the attacker through a search engine📖 Read
via "ITPro".
ITPro
Dutch hacker steals data from virtually entire population of Austria
The data was stolen from a misconfigured cloud database found by the attacker through a search engine
📢 CISA: Phishing campaign targeting US federal agencies went undetected for months 📢
📖 Read
via "ITPro".
Threat actors used legitimate remote access software to maliciously target federal employees📖 Read
via "ITPro".
ITPro
CISA: Phishing campaign targeting US federal agencies went undetected for months
Threat actors used legitimate remote access software to maliciously target federal employees
📢 NCSC warns UK under state-sponsored spear-phishing attacks from Russia and Iran 📢
📖 Read
via "ITPro".
The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC📖 Read
via "ITPro".
ITPro
NCSC warns UK under state-sponsored spear-phishing attacks from Russia and Iran
The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC
‼ CVE-2023-0562 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-219716.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0563 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-219717 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2021-4315 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.1 is able to address this issue. The name of the patch is 47787e15cecd66f2aa87687bf852ae0194a4335f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-219676.📖 Read
via "National Vulnerability Database".
👍1
🗓️ Tell us what you think: The Daily Swig reader survey 2023 🗓️
📖 Read
via "The Daily Swig".
Have your say to be in with the chance to win Burp Suite swag…📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Tell us what you think: The Daily Swig reader survey 2023
Have your say to be in with the chance to win Burp Suite swag…
👍1
‼ CVE-2016-15022 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in mosbth cimage up to 0.7.18. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file check_system.php. The manipulation of the argument $_SERVER['SERVER_SOFTWARE'] leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.7.19 is able to address this issue. The name of the patch is 401478c8393989836beeddfeac5ce44570af162b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-219715.📖 Read
via "National Vulnerability Database".
‼ CVE-2009-10003 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in capnsquarepants wordcraft up to 0.6. It has been classified as problematic. Affected is an unknown function of the file tag.php. The manipulation of the argument tag leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 0.7 is able to address this issue. The name of the patch is be23028633e8105de92f387036871c03f34d3124. It is recommended to upgrade the affected component. VDB-219714 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0572 ‼
📖 Read
via "National Vulnerability Database".
Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46873 ‼
📖 Read
via "National Vulnerability Database".
WireGuard, such as WireGuard 0.5.3 on Windows, does not fully account for the possibility that an adversary might be able to set a victim's system time to a future value, e.g., because unauthenticated NTP is used. This can lead to an outcome in which one static private key becomes permanently useless.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-48303 ‼
📖 Read
via "National Vulnerability Database".
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.📖 Read
via "National Vulnerability Database".