βΌ CVE-2023-27481 βΌ
π Read
via "National Vulnerability Database".
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27479 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content containing `label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`. Then, navigating to `PanelsCode.ApplicationsPanelConfigurationSheet` (i.e., `<xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet` where `<xwiki-host>` is the URL of your XWiki installation) should not execute the Groovy script. If it does, you will see `Hello from groovy!` displayed on the screen. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. For users unable to upgrade the issue can be fixed by editing the `PanelsCode.ApplicationsPanelConfigurationSheet` wiki page and making the same modifications as shown in commit `6de5442f3c`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27485 βΌ
π Read
via "National Vulnerability Database".
thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit `f1ae67d8bb2`and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27480 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1003 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, was found in Typora up to 1.5.5. Affected is an unknown function of the component WSH JScript Handler. The manipulation leads to code injection. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.8 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221736.π Read
via "National Vulnerability Database".
π΄ Akamai Technologies Releases New Service and Tools to Stop Advanced Threats and Drive Zero Trust Adoption π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Akamai Technologies Releases New Service and Tools to Stop Advanced Threats and Drive Zero Trust Adoption
CAMBRIDGE, Mass., March 7, 2023 /PRNewswire/ -- Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today introduced the Akamai Hunt security service. The service enables customers to capitalize on the infrastructureβ¦
βΌ CVE-2023-20640 βΌ
π Read
via "National Vulnerability Database".
In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07629573; Issue ID: ALPS07629573.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20644 βΌ
π Read
via "National Vulnerability Database".
In ril, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07628603; Issue ID: ALPS07628603.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2021-23185 βΌ
π Read
via "National Vulnerability Database".
This candidate was in a CNA pool that was not assigned to any issues during 2021.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20649 βΌ
π Read
via "National Vulnerability Database".
In ril, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07628607; Issue ID: ALPS07628607.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1217 βΌ
π Read
via "National Vulnerability Database".
Stack buffer overflow in Crash reporting in Google Chrome on Windows prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2023-20651 βΌ
π Read
via "National Vulnerability Database".
In apu, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07629576; Issue ID: ALPS07629576.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1214 βΌ
π Read
via "National Vulnerability Database".
Type confusion in V8 in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2023-20623 βΌ
π Read
via "National Vulnerability Database".
In ion, there is a possible escalation of privilege due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07559778; Issue ID: ALPS07559778.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26823 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in the /admin/template.php component of shopEx EcShop v4.1.5 allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20634 βΌ
π Read
via "National Vulnerability Database".
In widevine, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07635697; Issue ID: ALPS07635697.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1219 βΌ
π Read
via "National Vulnerability Database".
Heap buffer overflow in Metrics in Google Chrome prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2023-1229 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in Permission prompts in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)π Read
via "National Vulnerability Database".
βΌ CVE-2023-20646 βΌ
π Read
via "National Vulnerability Database".
In ril, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07628536; Issue ID: ALPS07628536.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20635 βΌ
π Read
via "National Vulnerability Database".
In keyinstall, there is a possible information disclosure due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07563028; Issue ID: ALPS07563028.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20633 βΌ
π Read
via "National Vulnerability Database".
In usb, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07628508; Issue ID: ALPS07628508.π Read
via "National Vulnerability Database".