βΌ CVE-2023-24122 βΌ
π Read
via "National Vulnerability Database".
Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the ssid_5g parameter at /goform/WifiBasicSet.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24119 βΌ
π Read
via "National Vulnerability Database".
Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the ssid parameter at /goform/WifiBasicSet.π Read
via "National Vulnerability Database".
π΄ Ermetic Adds Kubernetes Security to CNAPP π΄
π Read
via "Dark Reading".
The automated capabilities can discover misconfigurations, compliance violations, and risk or excessive privileges in Kubernetes clusters.π Read
via "Dark Reading".
Dark Reading
Ermetic Adds Kubernetes Security to CNAPP
The automated capabilities can discover misconfigurations, compliance violations, and risk or excessive privileges in Kubernetes clusters.
βΌ CVE-2023-1146 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0228 βΌ
π Read
via "National Vulnerability Database".
Improper Authentication vulnerability in ABB Symphony Plus S+ Operations allows Man in the Middle Attack.This issue affects Symphony Plus S+ Operations: from 2.X through 2.1 SP2, 2.2, from 3.X through 3.3 SP1, 3.3 SP2.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-1107 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0053 βΌ
π Read
via "National Vulnerability Database".
SAUTER Controls Nova 200Γ’β¬β220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior have only FTP and Telnet available for device management. Any sensitive information communicated through these protocols, such as credentials, is sent in cleartext. An attacker could obtain sensitive information such as user credentials to gain access to the system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1148 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26046 βΌ
π Read
via "National Vulnerability Database".
teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. The vulnerability exists due to teler-waf failure to properly sanitize and filter HTML entities in user input. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been fixed in version 0.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25155 βΌ
π Read
via "National Vulnerability Database".
Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26053 βΌ
π Read
via "National Vulnerability Database".
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1106 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1147 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1149 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25806 βΌ
π Read
via "National Vulnerability Database".
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22462 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0196 βΌ
π Read
via "National Vulnerability Database".
NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a local user running the tool against an ill-formed binary may cause a null- pointer dereference, which may result in a limited denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3854 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.π Read
via "National Vulnerability Database".
ποΈ Weβre going teetotal: Itβs goodbye to The Daily Swig ποΈ
π Read
via "The Daily Swig".
PortSwigger today announces that The Daily Swig is closing downπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
π΄ Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It? π΄
π Read
via "Dark Reading".
Overcoming the obstacles of this security principle can mitigate the damages of an attack.π Read
via "Dark Reading".
Dark Reading
Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It?
Overcoming the obstacles of this security principle can mitigate the damages of an attack.
β S3 Ep124: When so-called security apps go rogue [Audio + Text] β
π Read
via "Naked Security".
Rogue software packages. Rogue "sysadmins". Rogue keyloggers. Rogue authenticators. Rogue ROGUES!π Read
via "Naked Security".
Naked Security
S3 Ep124: When so-called security apps go rogue [Audio + Text]
Rogue software packages. Rogue βsysadminsβ. Rogue keyloggers. Rogue authenticators. Rogue ROGUES!
π1