βΌ CVE-2023-1106 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1147 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1149 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25806 βΌ
π Read
via "National Vulnerability Database".
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22462 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0196 βΌ
π Read
via "National Vulnerability Database".
NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a local user running the tool against an ill-formed binary may cause a null- pointer dereference, which may result in a limited denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3854 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.π Read
via "National Vulnerability Database".
ποΈ Weβre going teetotal: Itβs goodbye to The Daily Swig ποΈ
π Read
via "The Daily Swig".
PortSwigger today announces that The Daily Swig is closing downπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
π΄ Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It? π΄
π Read
via "Dark Reading".
Overcoming the obstacles of this security principle can mitigate the damages of an attack.π Read
via "Dark Reading".
Dark Reading
Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It?
Overcoming the obstacles of this security principle can mitigate the damages of an attack.
β S3 Ep124: When so-called security apps go rogue [Audio + Text] β
π Read
via "Naked Security".
Rogue software packages. Rogue "sysadmins". Rogue keyloggers. Rogue authenticators. Rogue ROGUES!π Read
via "Naked Security".
Naked Security
S3 Ep124: When so-called security apps go rogue [Audio + Text]
Rogue software packages. Rogue βsysadminsβ. Rogue keyloggers. Rogue authenticators. Rogue ROGUES!
π1
βΌ CVE-2023-25358 βΌ
π Read
via "National Vulnerability Database".
A use-after-free vulnerability in WebCore::RenderLayer::addChild in WebKitGTK before 2.36.8 allows attackers to execute code remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25360 βΌ
π Read
via "National Vulnerability Database".
A use-after-free vulnerability in WebCore::RenderLayer::renderer in WebKitGTK before 2.36.8 allows attackers to execute code remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25363 βΌ
π Read
via "National Vulnerability Database".
A use-after-free vulnerability in WebCore::RenderLayer::updateDescendantDependentFlags in WebKitGTK before 2.36.8 allows attackers to execute code remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25536 βΌ
π Read
via "National Vulnerability Database".
Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25362 βΌ
π Read
via "National Vulnerability Database".
A use-after-free vulnerability in WebCore::RenderLayer::repaintBlockSelectionGaps in WebKitGTK before 2.36.8 allows attackers to execute code remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25361 βΌ
π Read
via "National Vulnerability Database".
A use-after-free vulnerability in WebCore::RenderLayer::setNextSibling in WebKitGTK before 2.36.8 allows attackers to execute code remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26780 βΌ
π Read
via "National Vulnerability Database".
CleverStupidDog yf-exam v 1.8.0 is vulnerable to SQL Injection.π Read
via "National Vulnerability Database".
π΄ Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets π΄
π Read
via "Dark Reading".
Access-as-a-service took off in underground markets with more than 775 million credentials for sale and thousands of ads for access-as-a-service.π Read
via "Dark Reading".
Dark Reading
Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets
Access-as-a-service took off in underground markets with more than 775 million credentials for sale and thousands of ads for access-as-a-service.
π₯1
π΄ What GoDaddy's Years-Long Breach Means for Millions of Clients π΄
π Read
via "Dark Reading".
The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.π Read
via "Dark Reading".
Dark Reading
What GoDaddy's Years-Long Breach Means for Millions of Clients
The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.
βΌ CVE-2023-26051 βΌ
π Read
via "National Vulnerability Database".
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26055 βΌ
π Read
via "National Vulnerability Database".
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.π Read
via "National Vulnerability Database".
π1