βΌ CVE-2022-46637 βΌ
π Read
via "National Vulnerability Database".
Prolink router PRS1841 was discovered to contain hardcoded credentials for its Telnet and FTP services.π Read
via "National Vulnerability Database".
βΌ CVE-2017-20179 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in InSTEDD Pollit 2.3.1. It has been rated as critical. This issue affects the function TourController of the file app/controllers/tour_controller.rb. The manipulation leads to an unknown weakness. The attack may be initiated remotely. Upgrading to version 2.3.2 is able to address this issue. The name of the patch is 6ef04f8b5972d5f16f8b86f8b53f62fac68d5498. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-221507.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25810 βΌ
π Read
via "National Vulnerability Database".
Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25158 βΌ
π Read
via "National Vulnerability Database".
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25812 βΌ
π Read
via "National Vulnerability Database".
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0945 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in SourceCodester Best POS Management System 1.0. Affected is an unknown function of the file index.php?page=add-category. The manipulation of the argument Name with the input "><img src=x onerror=prompt(document.domain);> leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-221592.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25157 βΌ
π Read
via "National Vulnerability Database".
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25657 βΌ
π Read
via "National Vulnerability Database".
Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the Jinja2 template engine used internally for template rendering for the following objects: `extras.ComputedField`, `extras.CustomLink`, `extras.ExportTemplate`, `extras.Secret`, `extras.Webhook`. While no active exploits of this vulnerability are known this change has been made as a preventative measure to protect against any potential remote code execution attacks utilizing maliciously crafted template code. This change forces the Jinja2 template engine to use a `SandboxedEnvironment` on all new installations of Nautobot. This addresses any potential unsafe code execution everywhere the helper function `nautobot.utilities.utils.render_jinja2` is called. Additionally, the documentation that had previously suggesting the direct use of `jinja2.Template` has been revised to suggest `render_jinja2`. Users are advised to upgrade to Nautobot 1.5.7 or newer. For users that are unable to upgrade to the latest release of Nautobot, you may add the following setting to your `nautobot_config.py` to apply the sandbox environment enforcement: `TEMPLATES[1]["OPTIONS"]["environment"] = "jinja2.sandbox.SandboxedEnvironment"` After applying this change, you must restart all Nautobot services, including any Celery worker processes. **Note:** *Nautobot specifies two template engines by default, the first being Γ’β¬ΕdjangoΓ’β¬οΏ½ for the Django built-in template engine, and the second being Γ’β¬ΕjinjaΓ’β¬οΏ½ for the Jinja2 template engine. This recommended setting will update the second item in the list of template engines, which is the Jinja2 engine.* For users that are unable to immediately update their configuration such as if a Nautobot service restart is too disruptive to operations, access to provide custom Jinja2 template values may be mitigated using permissions to restrict Γ’β¬ΕchangeΓ’β¬οΏ½ (write) actions to the affected object types listed in the first section. **Note:** *This solution is intended to be stopgap until you can successfully update your `nautobot_config.py` or upgrade your Nautobot instance to apply the sandboxed environment enforcement.*π Read
via "National Vulnerability Database".
βΌ CVE-2023-24320 βΌ
π Read
via "National Vulnerability Database".
An access control issue in Axcora POS #0~gitf77ec09 allows unauthenticated attackers to execute arbitrary commands via unspecified vectors.π Read
via "National Vulnerability Database".
π΄ CREST Calls for Greater Equity, Inclusion and Diversity As Part of National Cyber Security Strategy π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
CREST Calls for Greater Equity, Inclusion and Diversity As Part of National Cyber Security Strategy
21 Feb 2023: CREST, the global not-for-profit community of cyber security businesses and professionals working to keep our information safe in a digital world, today launches its latest best practice guide, describing how to foster greater equity, inclusionβ¦
π΄ Scrut Automation Raises Funding of $7.5M, Led by MassMutual Ventures, Lightspeed, and Endiya Partners π΄
π Read
via "Dark Reading".
With the fresh capital, Scrut aims to focus on simplifying risk management and infosec compliance for cloud-native SaaS, Fintech, and Healthtech companiesπ Read
via "Dark Reading".
Dark Reading
Scrut Automation Raises Funding of $7.5M, Led by MassMutual Ventures, Lightspeed, and Endiya Partners
With the fresh capital, Scrut aims to focus on simplifying risk management and infosec compliance for cloud-native SaaS, Fintech, and Healthtech companies
βΌ CVE-2023-20855 βΌ
π Read
via "National Vulnerability Database".
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23946 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4325 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in NHN TOAST UI Chart 4.1.4. This issue affects some unknown processing of the component Legend Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 4.2.0 is able to address this issue. The name of the patch is 1a3f455d17df379e11b501bb5ba1dd1bcc41d63e. It is recommended to upgrade the affected component. The identifier VDB-221501 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20858 βΌ
π Read
via "National Vulnerability Database".
VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23940 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24080 βΌ
π Read
via "National Vulnerability Database".
A lack of rate limiting on the password reset endpoint of Chamberlain myQ v5.222.0.32277 (on iOS) allows attackers to compromise user accounts via a bruteforce attack.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23947 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23939 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23944 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues. Notes: none.π Read
via "National Vulnerability Database".