βΌ CVE-2023-0827 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 1.5.17.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25141 βΌ
π Read
via "National Vulnerability Database".
Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25149 βΌ
π Read
via "National Vulnerability Database".
TimescaleDB, an open-source time-series SQL database, has a privilege escalation vulnerability in versions 2.8.0 through 2.9.2. During installation, TimescaleDB creates a telemetry job that is runs as the installation user. The queries run as part of the telemetry data collection were not run with a locked down `search_path`, allowing malicious users to create functions that would be executed by the telemetry job, leading to privilege escalation. In order to be able to take advantage of this vulnerability, a user would need to be able to create objects in a database and then get a superuser to install TimescaleDB into their database. When TimescaleDB is installed as trusted extension, non-superusers can install the extension without help from a superuser. Version 2.9.3 fixes this issue. As a mitigation, the `search_path` of the user running the telemetry job can be locked down to not include schemas writable by other users. The vulnerability is not exploitable on instances in Timescale Cloud and Managed Service for TimescaleDB due to additional security provisions in place on those platforms.π Read
via "National Vulnerability Database".
π΄ ThreatConnect Closes 2022 with Accelerated Growth in Threat Intelligence Operations (TI Ops) π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
ThreatConnect Closes 2022 with Accelerated Growth in Threat Intelligence Operations (TI Ops)
ARLINGTON, Va., Feb. 14, 2023 /PRNewswire/ -- ThreatConnect, maker of leading threat intelligence operations (TI Ops) and risk quantification solutions, announced today the company's accelerated growth through 2022 and market leading position heading intoβ¦
π΄ Ping Identity and Deloitte Forge Alliance to Give Organizations Advanced Identity and Access Solutions π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Ping Identity and Deloitte Forge Alliance to Give Organizations Advanced Identity and Access Solutions
DENVER, Feb. 14, 2023 /PRNewswire/ -- Ping Identity, the intelligent identity solution for the enterprise, has formed a new strategic alliance with Deloitte, a leader in global security consulting services, to help the organizations' shared clients improveβ¦
ποΈ Password manager security: Which is the right option for me? ποΈ
π Read
via "The Daily Swig".
The first guide of our two-part series helps consumers choose the best way to manage their login credentialsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Password manager security: Which is the right option for me?
The first guide of our two-part series helps consumers choose the best way to manage their login credentials
π΄ Cyber-Physical Systems Vulnerability Disclosures Reach Peak, While Disclosures by Internal Teams Increase 80% Over 18 Months π΄
π Read
via "Dark Reading".
State of XIoT Security Report: 2H 2022 from Claroty's Team82 reveals positive impact by researchers on strengthening XIoT security and increased investment among XIoT vendors in securing their products.π Read
via "Dark Reading".
Dark Reading
Cyber-Physical Systems Vulnerability Disclosures Reach Peak, While Disclosures by Internal Teams Increase 80% Over 18 Months
State of XIoT Security Report: 2H 2022 from Claroty's Team82 reveals positive impact by researchers on strengthening XIoT security and increased investment among XIoT vendors in securing their products.
π΄ Vaultree Appoints Technology Industry Veteran Rinki Sethi to Its Board of Directors π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Vaultree Appoints Technology Industry Veteran Rinki Sethi to Its Board of Directors
CORK, Ireland--(BUSINESS WIRE)-- Vaultree, the Data-In-Use Encryption leader, today announced the appointment of Rinki Sethi to the company's board of directors.
βΌ CVE-2023-24160 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admuser parameter in the setPasswordCfg function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24161 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the webWlanIdx parameter in the setWebWlanIdx function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24159 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admpass parameter in the setPasswordCfg function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4286 βΌ
π Read
via "National Vulnerability Database".
A reflected cross-site scripting (XSS) vulnerability exists in System Diagnostics Manager of B&R Automation Runtime versions >=3.00 and <=C4.93 that enables a remote attacker to execute arbitrary JavaScript in the context of the users browser session.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46023 βΌ
π Read
via "National Vulnerability Database".
An Untrusted Pointer Dereference was discovered in function mrb_vm_exec in mruby before 3.1.0-rc. The vulnerability causes a segmentation fault and application crash.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25576 βΌ
π Read
via "National Vulnerability Database".
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22564 βΌ
π Read
via "National Vulnerability Database".
Dell EMC Unity versions before 5.2.0.0.5.173 , use(es) broken cryptographic algorithm. A remote unauthenticated attacker could potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information.π Read
via "National Vulnerability Database".
π΄ Why SecDataOps Is the Future of Your Security Program π΄
π Read
via "Dark Reading".
The goal: Ensure that data is always finely curated and accessible, and that security decisions get made with high-fidelity data.π Read
via "Dark Reading".
Dark Reading
Why SecDataOps Is the Future of Your Security Program
The goal: Ensure that data is always finely curated and accessible, and that security decisions get made with high-fidelity data.
π΄ Configuration Issues in SaltStack IT Tool Put Enterprises at Risk π΄
π Read
via "Dark Reading".
Researchers flag common misconfiguration errors and a template injection technique that could let an attacker take over the IT management network and connected systems.π Read
via "Dark Reading".
Dark Reading
Configuration Issues in SaltStack IT Tool Put Enterprises at Risk
Researchers flag common misconfiguration errors and a template injection technique that could let an attacker take over the IT management network and connected systems.
π΄ Hospitals Sued for Using Meta's Ad-Tracking Code, Violating HIPAA π΄
π Read
via "Dark Reading".
Lawsuits say hospitals using Meta Pixel code violated patient privacy β sharing conditions, medications, and more with Facebook.π Read
via "Dark Reading".
Dark Reading
Hospitals Sued for Using Meta's Ad-Tracking Code, Violating HIPAA
Lawsuits say hospitals using Meta Pixel code violated patient privacy β sharing conditions, medications, and more with Facebook.
βΌ CVE-2023-25564 βΌ
π Read
via "National Vulnerability Database".
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, memory corruption can be triggered when decoding UTF16 strings. The variable `outlen` was not initialized and could cause writing a zero to an arbitrary place in memory if `ntlm_str_convert()` were to fail, which would leave `outlen` uninitialized. This can lead to a denial of service if the write hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can trigger an out-of-bounds write, leading to memory corruption. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This issue is fixed in version 1.2.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22941 βΌ
π Read
via "National Vulnerability Database".
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted Γ’β¬ΛINGEST_EVALΓ’β¬β’ parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd).π Read
via "National Vulnerability Database".
βΌ CVE-2023-22935 βΌ
π Read
via "National Vulnerability Database".
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the Γ’β¬Λdisplay.page.search.patterns.sensitivityΓ’β¬β’ search parameter lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled.π Read
via "National Vulnerability Database".