βΌ CVE-2022-48364 βΌ
π Read
via "National Vulnerability Database".
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0377 βΌ
π Read
via "National Vulnerability Database".
The Scriptless Social Sharing WordPress plugin before 3.2.2 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0063 βΌ
π Read
via "National Vulnerability Database".
The WordPress Shortcodes WordPress plugin through 1.6.36 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0076 βΌ
π Read
via "National Vulnerability Database".
The Download Attachments WordPress plugin through 1.2.24 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
π AIDE 0.18.1 π
π Read
via "Packet Storm Security".
AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determining which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.π Read
via "Packet Storm Security".
Packetstormsecurity
AIDE 0.18.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β Feds warn about right Royal ransomware rampage that runs the gamut of TTPs β
π Read
via "Naked Security".
Wondering which cybercrime tools, techniques and procedures to focus on? How about any and all of them?π Read
via "Naked Security".
β DoppelPaymer ransomware supsects arrested in Germany and Ukraine β
π Read
via "Naked Security".
Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in DΓΌsseldorf.π Read
via "Naked Security".
Naked Security
DoppelPaymer ransomware supsects arrested in Germany and Ukraine
Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in DΓΌsseldorf.
βΌ CVE-2023-0979 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData Informatics MedDataPACS.This issue affects MedDataPACS : before 2023-03-03.π Read
via "National Vulnerability Database".
βΌ CVE-2015-10094 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Fastly Plugin up to 0.97. It has been rated as problematic. Affected by this issue is the function post of the file lib/api.php. The manipulation of the argument url leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.98 is able to address this issue. The name of the patch is d7fe42538f4d4af500e3af9678b6b06fba731656. It is recommended to upgrade the affected component. VDB-222326 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-1200 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in ehuacui bbs. It has been declared as problematic. This vulnerability affects unknown code. The manipulation of the argument username leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The identifier of this vulnerability is VDB-222388.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24789 βΌ
π Read
via "National Vulnerability Database".
jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injection vulnerability via the building block report component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1197 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository uvdesk/community-skeleton prior to 1.1.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4930 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in nuxsmin sysPass up to 3.2.4. Affected by this vulnerability is an unknown functionality of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 3.2.5 is able to address this issue. The name of the patch is 4da4d031732ecca67519851fd0c34597dbb8ee55. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222319.π Read
via "National Vulnerability Database".
π΄ SANS Institute Partners With Google to Launch Cloud Diversity Academy π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
SANS Institute Partners With Google to Launch Cloud Diversity Academy
Bethesda, MD - SANS Institute, the global leader in cybersecurity training and certifications, is proud to announce the launch of the SANS Cloud Diversity Academy (SCDA), brought to you by SANS & Google. This academy provides unparalleled training and certificationsβ¦
π΄ NIST's Quantum-Proof Algorithm Has a Bug, Analysts Say π΄
π Read
via "Dark Reading".
A team has found that the Crystals-Kyber encryption algorithm is open to side-channel attacks, under certain implementations.π Read
via "Dark Reading".
Dark Reading
NIST's Quantum-Proof Algorithm Has a Bug, Analysts Say
A team has found that the Crystals-Kyber encryption algorithm is open to side-channel attacks, under certain implementations.
βΌ CVE-2023-25304 βΌ
π Read
via "National Vulnerability Database".
Prism Launcher <= 6.1 is vulnerable to Directory Traversal.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22481 βΌ
π Read
via "National Vulnerability Database".
FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in `users/_/log_api.txt` in the case where the authentication fails. The issues occurs in `authorizationToUser()` in `greader.php`. If there is an issue with the request or the credentials, `unauthorized()` or `badRequest()` is called. Both these functions are printing the return of `debugInfo()` in the logs. `debugInfo()` will return the content of the request. By default, this will be saved in `users/_/log_api.txt` and if the const `COPY_LOG_TO_SYSLOG` is true, in syslogs as well. Exploiting this issue requires having access to logs produced by FreshRSS. Using the information from the logs, a malicious individual could get users' API keys (would be displayed if the users fills in a bad username) or passwords.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25169 βΌ
π Read
via "National Vulnerability Database".
discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27474 βΌ
π Read
via "National Vulnerability Database".
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35377 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24776 βΌ
π Read
via "National Vulnerability Database".
Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.π Read
via "National Vulnerability Database".