βΌ CVE-2023-23076 βΌ
π Read
via "National Vulnerability Database".
OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23077 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22284 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0619 βΌ
π Read
via "National Vulnerability Database".
The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset image optimizations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46934 βΌ
π Read
via "National Vulnerability Database".
kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23073 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23969 βΌ
π Read
via "National Vulnerability Database".
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22287 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23075 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.π Read
via "National Vulnerability Database".
π΄ Greater Incident Complexity, Shift in How Threat Actors Use Stolen Data, Will Drive the Cyber Threat Landscape in 2023, Says Beazley Report π΄
π Read
via "Dark Reading".
Noting 13% year-over-year growth in fraudulent instruction as a cause of loss, report predicts organizations must get smarter about educating employees to spot fraudulent tactics.π Read
via "Dark Reading".
Dark Reading
Greater Incident Complexity, Shift in How Threat Actors Use Stolen Data, Will Drive the Cyber Threat Landscape in 2023, Says Beazleyβ¦
Noting 13% year-over-year growth in fraudulent instruction as a cause of loss, report predicts organizations must get smarter about educating employees to spot fraudulent tactics.
π΄ CISA to Open Supply Chain Risk Management Office π΄
π Read
via "Dark Reading".
A new supply chain risk management office aims to help public and private sectors implement recent CISA policies and guidance.π Read
via "Dark Reading".
Dark Reading
CISA to Open Supply Chain Risk Management Office
A new supply chain risk management office aims to help public and private sectors implement recent CISA policies and guidance.
βΌ CVE-2022-37033 βΌ
π Read
via "National Vulnerability Database".
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3913 βΌ
π Read
via "National Vulnerability Database".
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server's FQDN or redirect legitimate traffic to the attacker's server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23751 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23750 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47872 βΌ
π Read
via "National Vulnerability Database".
maccms10 2021.1000.2000 is vulnerable to Server-side request forgery (SSRF).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3083 βΌ
π Read
via "National Vulnerability Database".
All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30904 βΌ
π Read
via "National Vulnerability Database".
In Bestechnic Bluetooth Mesh SDK (BES2300) V1.0, a buffer overflow vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45782 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31363 βΌ
π Read
via "National Vulnerability Database".
Cypress : https://www.infineon.com/ Cypress Bluetooth Mesh SDK BSA0107_05.01.00-BX8-AMESH-08 is affected by: Buffer Overflow. The impact is: execute arbitrary code (remote). The component is: affected function is pb_transport_handle_frag_. ΓΒΆΓΒΆ In Cypress Bluetooth Mesh SDK, there is an out-of-bound write vulnerability that can be triggered during mesh provisioning. Because there is no check for mismatched SegN and TotalLength in Transaction Start PDU.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31364 βΌ
π Read
via "National Vulnerability Database".
Cypress : https://www.infineon.com/ Cypress Bluetooth Mesh SDK BSA0107_05.01.00-BX8-AMESH-08 is affected by: Buffer Overflow. The impact is: execute arbitrary code (remote). The component is: affected function is lower_transport_layer_on_seg. ΓΒΆΓΒΆ In Cypress Bluetooth Mesh SDK, there is an out-of-bound write vulnerability that can be triggered by sending a series of segmented packets with inconsistent SegN.π Read
via "National Vulnerability Database".