βΌ CVE-2023-26473 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26476 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0084 βΌ
π Read
via "National Vulnerability Database".
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26052 βΌ
π Read
via "National Vulnerability Database".
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.0, 3.9.27, 3.10.14 and 3.11.12.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26056 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
π΄ BlackLotus Bookit Found Targeting Windows 11 π΄
π Read
via "Dark Reading".
Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.π Read
via "Dark Reading".
Dark Reading
BlackLotus Bookit Found Targeting Windows 11
Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.
π΄ Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security π΄
π Read
via "Dark Reading".
The new White House plan outlines proposed minimum security requirements in critical infrastructure β and for shifting liability for software products to vendors.π Read
via "Dark Reading".
Dark Reading
Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security
The new White House plan outlines proposed minimum security requirements in critical infrastructure β and for shifting liability for software products to vendors.
π΄ CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds π΄
π Read
via "Dark Reading".
The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.π Read
via "Dark Reading".
Dark Reading
CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds
The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.
βΌ CVE-2023-1101 βΌ
π Read
via "National Vulnerability Database".
SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerability allows an authenticated attacker to use excessive MFA codes.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22381 βΌ
π Read
via "National Vulnerability Database".
A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0656 βΌ
π Read
via "National Vulnerability Database".
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35645 βΌ
π Read
via "National Vulnerability Database".
IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and IBM Maximo Application Suite 8.8 and 8.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230958.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46501 βΌ
π Read
via "National Vulnerability Database".
Accruent LLC Maintenance Connection 2021 (all) & 2022.2 was discovered to contain a SQL injection vulnerability via the E-Mail to Work Order function.π Read
via "National Vulnerability Database".
π΄ Axis Security Acquisition Strengthens Aruba's SASE Solutions With Integrated Cloud Security and SD-WAN π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Axis Security Acquisition Strengthens Aruba's SASE Solutions With Integrated Cloud Security and SD-WAN
HOUSTON, Texas β March 2, 2023 β Hewlett Packard Enterprise (NYSE: HPE) today announced that it entered into a definitive agreement to acquire Axis Security, a cloud security provider. This acquisition will allow HPE to expand its edge-to-cloud security capabilitiesβ¦
βΌ CVE-2022-40633 βΌ
π Read
via "National Vulnerability Database".
A malicious actor can clone access cards used to open control cabinets secured with Rittal CMC III locks.π Read
via "National Vulnerability Database".
βοΈ Highlights from the New U.S. Cybersecurity Strategy βοΈ
π Read
via "Krebs on Security".
The Biden administration today issued its vision for beefing up the nation's collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House's new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and names China as the single biggest cyber threat to U.S. interests.π Read
via "Krebs on Security".
Krebs on Security
Highlights from the New U.S. Cybersecurity Strategy
The Biden administration today issued its vision for beefing up the nation's collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The Whiteβ¦
π₯1
π΄ IBM Contributes Supply Chain Security Tools to OWASP π΄
π Read
via "Dark Reading".
License Scanner and SBOM Utility will boost the capabilities of OWASP's CycloneDX Software Bill of Materials standard.π Read
via "Dark Reading".
Dark Reading
IBM Contributes Supply Chain Security Tools to OWASP
License Scanner and SBOM Utility will boost the capabilities of OWASP's CycloneDX Software Bill of Materials standard.
βΌ CVE-2023-1160 βΌ
π Read
via "National Vulnerability Database".
Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0457 βΌ
π Read
via "National Vulnerability Database".
Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U(C) CPU modules all models all versions, FX5UJ CPU modules all models all versions, FX5S CPU modules all models all versions, FX5-ENET all versions and FX5-ENET/IP all versions allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server.π Read
via "National Vulnerability Database".
π’ CISA: Tech industry 'shouldn't tolerate' Patch Tuesday π’
π Read
via "ITPro".
CISA director Jen Easterly said the tech industry has allowed the widespread acceptance of "deviant behaviours" to make a mockery of cyber securityπ Read
via "ITPro".
ITPro
CISA: Tech industry 'shouldn't tolerate' Patch Tuesday, unsecured software
CISA director Jen Easterly said the tech industry has allowed the widespread acceptance of "deviant behaviours" to make a mockery of cyber security
π’ Uncovering the ransomware threat from global supply chains π’
π Read
via "ITPro".
Everything is connectedπ Read
via "ITPro".
ITPro
Uncovering the ransomware threat from global supply chains
Everything is connected
π1