βΌ CVE-2023-1157 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in finixbit elf-parser. Affected is the function elf_parser::Elf_parser::get_segments of the file elf_parser.cpp. The manipulation leads to denial of service. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. VDB-222222 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26472 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.6, and 13.10.10. An available workaround is to fix the bug in the page `IconThemesCode.IconThemeSheet` by applying a modification from commit 48caf7491595238af2b531026a614221d5d61f38.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26475 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26470 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4328 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in ???CMS and classified as critical. Affected by this vulnerability is the function goods_detail of the file ApiController.class.php. The manipulation of the argument goods_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-222223.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26473 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26476 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0084 βΌ
π Read
via "National Vulnerability Database".
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26052 βΌ
π Read
via "National Vulnerability Database".
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.0, 3.9.27, 3.10.14 and 3.11.12.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26056 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
π΄ BlackLotus Bookit Found Targeting Windows 11 π΄
π Read
via "Dark Reading".
Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.π Read
via "Dark Reading".
Dark Reading
BlackLotus Bookit Found Targeting Windows 11
Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.
π΄ Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security π΄
π Read
via "Dark Reading".
The new White House plan outlines proposed minimum security requirements in critical infrastructure β and for shifting liability for software products to vendors.π Read
via "Dark Reading".
Dark Reading
Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security
The new White House plan outlines proposed minimum security requirements in critical infrastructure β and for shifting liability for software products to vendors.
π΄ CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds π΄
π Read
via "Dark Reading".
The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.π Read
via "Dark Reading".
Dark Reading
CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds
The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.
βΌ CVE-2023-1101 βΌ
π Read
via "National Vulnerability Database".
SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerability allows an authenticated attacker to use excessive MFA codes.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22381 βΌ
π Read
via "National Vulnerability Database".
A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0656 βΌ
π Read
via "National Vulnerability Database".
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35645 βΌ
π Read
via "National Vulnerability Database".
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8 and 8.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230958.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46501 βΌ
π Read
via "National Vulnerability Database".
Accruent LLC Maintenance Connection 2021 (all) & 2022.2 was discovered to contain a SQL injection vulnerability via the E-Mail to Work Order function.π Read
via "National Vulnerability Database".
π΄ Axis Security Acquisition Strengthens Aruba's SASE Solutions With Integrated Cloud Security and SD-WAN π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Axis Security Acquisition Strengthens Aruba's SASE Solutions With Integrated Cloud Security and SD-WAN
HOUSTON, Texas β March 2, 2023 β Hewlett Packard Enterprise (NYSE: HPE) today announced that it entered into a definitive agreement to acquire Axis Security, a cloud security provider. This acquisition will allow HPE to expand its edge-to-cloud security capabilitiesβ¦
βΌ CVE-2022-40633 βΌ
π Read
via "National Vulnerability Database".
A malicious actor can clone access cards used to open control cabinets secured with Rittal CMC III locks.π Read
via "National Vulnerability Database".
βοΈ Highlights from the New U.S. Cybersecurity Strategy βοΈ
π Read
via "Krebs on Security".
The Biden administration today issued its vision for beefing up the nation's collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House's new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and names China as the single biggest cyber threat to U.S. interests.π Read
via "Krebs on Security".
Krebs on Security
Highlights from the New U.S. Cybersecurity Strategy
The Biden administration today issued its vision for beefing up the nation's collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The Whiteβ¦
π₯1