βΌ CVE-2023-23078 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22501 βΌ
π Read
via "National Vulnerability Database".
An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a Γ’β¬ΕView RequestΓ’β¬οΏ½ link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23469 βΌ
π Read
via "National Vulnerability Database".
IBM ICP4A - Automation Decision Services 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 244504.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23074 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23076 βΌ
π Read
via "National Vulnerability Database".
OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23077 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22284 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0619 βΌ
π Read
via "National Vulnerability Database".
The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset image optimizations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46934 βΌ
π Read
via "National Vulnerability Database".
kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23073 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23969 βΌ
π Read
via "National Vulnerability Database".
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22287 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23075 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.π Read
via "National Vulnerability Database".
π΄ Greater Incident Complexity, Shift in How Threat Actors Use Stolen Data, Will Drive the Cyber Threat Landscape in 2023, Says Beazley Report π΄
π Read
via "Dark Reading".
Noting 13% year-over-year growth in fraudulent instruction as a cause of loss, report predicts organizations must get smarter about educating employees to spot fraudulent tactics.π Read
via "Dark Reading".
Dark Reading
Greater Incident Complexity, Shift in How Threat Actors Use Stolen Data, Will Drive the Cyber Threat Landscape in 2023, Says Beazleyβ¦
Noting 13% year-over-year growth in fraudulent instruction as a cause of loss, report predicts organizations must get smarter about educating employees to spot fraudulent tactics.
π΄ CISA to Open Supply Chain Risk Management Office π΄
π Read
via "Dark Reading".
A new supply chain risk management office aims to help public and private sectors implement recent CISA policies and guidance.π Read
via "Dark Reading".
Dark Reading
CISA to Open Supply Chain Risk Management Office
A new supply chain risk management office aims to help public and private sectors implement recent CISA policies and guidance.
βΌ CVE-2022-37033 βΌ
π Read
via "National Vulnerability Database".
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3913 βΌ
π Read
via "National Vulnerability Database".
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server's FQDN or redirect legitimate traffic to the attacker's server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23751 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23750 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47872 βΌ
π Read
via "National Vulnerability Database".
maccms10 2021.1000.2000 is vulnerable to Server-side request forgery (SSRF).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3083 βΌ
π Read
via "National Vulnerability Database".
All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values.π Read
via "National Vulnerability Database".