πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
@cibsecurity
25.8K subscribers
89.2K links
πŸ—ž The finest daily news on cybersecurity and privacy.

πŸ”” Daily releases.

πŸ’» Is your online life secure?

πŸ“© lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
25.8K subscribers
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24613 β€Ό

The user interface of Array Networks AG Series and vxAG through 9.4.0.470 could allow a remote attacker to use the gdb tool to overwrite the backend function call stack after accessing the system with administrator privileges. A successful exploit could leverage this vulnerability in the backend binary file that handles the user interface to a cause denial of service attack. This is fixed in AG 9.4.0.481.

πŸ“– Read

via "National Vulnerability Database".
243 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-48023 β€Ό

Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags.

πŸ“– Read

via "National Vulnerability Database".
262 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-47130 β€Ό

A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows a discount coupon to be arbitrarily created if an attacker with administrative privileges interacts on the CSRF page.

πŸ“– Read

via "National Vulnerability Database".
296 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-25135 β€Ό

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.

πŸ“– Read

via "National Vulnerability Database".
382 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-47131 β€Ό

A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page.

πŸ“– Read

via "National Vulnerability Database".
πŸ”₯1
394 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-23636 β€Ό

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

πŸ“– Read

via "National Vulnerability Database".
442 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-25139 β€Ό

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

πŸ“– Read

via "National Vulnerability Database".
448 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-48074 β€Ό

An issue in NoMachine before v8.2.3 allows attackers to execute arbitrary commands via a crafted .nxs file.

πŸ“– Read

via "National Vulnerability Database".
449 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-25136 β€Ό

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting this vulnerability will not be easy."

πŸ“– Read

via "National Vulnerability Database".
460 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ•΄ MITRE Releases Tool to Design Cyber Resilient Systems πŸ•΄

Engineers can use the Cyber Resiliency Engineering Framework Navigator to visuzalize their cyber resiliency capabilities.

πŸ“– Read

via "Dark Reading".
Dark Reading
MITRE Releases Tool to Design Cyber-Resilient Systems
Engineers can use the Cyber Resiliency Engineering Framework Navigator to visuzalize their cyber-resiliency capabilities.
459 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ•΄ How the Cloud Is Shifting CISO Priorities πŸ•΄

The greatly expanding attack surface created by the cloud needs to be protected.

πŸ“– Read

via "Dark Reading".
Dark Reading
How the Cloud Is Shifting CISO Priorities
The greatly expanding attack surface created by the cloud needs to be protected.
454 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ—“οΈ Serious security hole plugged in infosec tool binwalk πŸ—“οΈ

Path traversals could β€˜void reverse engineering efforts and tamper with evidence collected’

πŸ“– Read

via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Serious security hole plugged in infosec tool binwalk
Path traversals could β€˜void reverse engineering efforts and tamper with evidence collected’
350 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24142 β€Ό

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingSize parameter in the setNetworkDiag function.

πŸ“– Read

via "National Vulnerability Database".
283 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24139 β€Ό

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the setNetworkDiag function.

πŸ“– Read

via "National Vulnerability Database".
246 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24138 β€Ό

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host_time parameter in the NTPSyncWithHost function.

πŸ“– Read

via "National Vulnerability Database".
224 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24153 β€Ό

A command injection vulnerability in the version parameter in the function recvSlaveCloudCheckStatus of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

πŸ“– Read

via "National Vulnerability Database".
203 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24141 β€Ό

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingTimeOut parameter in the setNetworkDiag function.

πŸ“– Read

via "National Vulnerability Database".
182 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24152 β€Ό

A command injection vulnerability in the serverIp parameter in the function meshSlaveUpdate of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

πŸ“– Read

via "National Vulnerability Database".
174 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24149 β€Ό

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for root which is stored in the component /etc/shadow.

πŸ“– Read

via "National Vulnerability Database".
169 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24151 β€Ό

A command injection vulnerability in the ip parameter in the function recvSlaveCloudCheckStatus of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

πŸ“– Read

via "National Vulnerability Database".
162 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-24150 β€Ό

A command injection vulnerability in the serverIp parameter in the function meshSlaveDlfw of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

πŸ“– Read

via "National Vulnerability Database".
163 views