‼ CVE-2023-27707 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dede/group_store.php endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26767 ‼
📖 Read
via "National Vulnerability Database".
Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remote attacker to cause a denial of service via the lou_logFile function at logginc.c endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28155 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26769 ‼
📖 Read
via "National Vulnerability Database".
Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0 allows a remote attacker to cause a denial of service via the resolveSubtable function at compileTranslationTabel.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26768 ‼
📖 Read
via "National Vulnerability Database".
Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remote attacker to cause a denial of service via the compileTranslationTable.c and lou_setDataPath functions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27789 ‼
📖 Read
via "National Vulnerability Database".
An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the cidr2cidr function at the cidr.c:178 endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31637 ‼
📖 Read
via "National Vulnerability Database".
An issue found in UwAmp v.1.1, 1.2, 1.3, 2.0, 2.1, 2.2, 2.2.1, 3.0.0, 3.0.1, 3.0.2 allows a remote attacker to execute arbitrary code via a crafted DLL.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27131 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code viathe Post Editorparameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27788 ‼
📖 Read
via "National Vulnerability Database".
An issue found in TCPrewrite v.4.4.3 allows a remote attacker to cause a denial of service via the ports2PORT function at the portmap.c:69 endpoint.📖 Read
via "National Vulnerability Database".
🕴 Change Is Coming to the Network Detection and Response (NDR) Market 🕴
📖 Read
via "Dark Reading".
After years of relative stability and steady growth, Omdia research indicates the NDR segment is poised for rapid change.📖 Read
via "Dark Reading".
Dark Reading
Change Is Coming to the Network Detection and Response (NDR) Market
After years of relative stability and steady growth, Omdia research indicates the NDR segment is poised for rapid change.
âš Microsoft fixes two 0-days on Patch Tuesday – update now! âš
📖 Read
via "Naked Security".
An email you haven't even looked at yet could be used to trick Outlook into helping crooks to logon as you.📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
‼ CVE-2023-27041 ‼
📖 Read
via "National Vulnerability Database".
School Registration and Fee System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at/bilal final/edit_user.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28106 ‼
📖 Read
via "National Vulnerability Database".
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28108 ‼
📖 Read
via "National Vulnerability Database".
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28105 ‼
📖 Read
via "National Vulnerability Database".
go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28109 ‼
📖 Read
via "National Vulnerability Database".
Play With Docker is a browser-based Docker playground. Versions 0.0.2 and prior are vulnerable to domain hijacking. Because CORS configuration was not correct, an attacker could use `play-with-docker.com` as an example and set the origin header in an http request as `evil-play-with-docker.com`. The domain would echo in response header, which successfully bypassed the CORS policy and retrieved basic user information. This issue has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28100 ‼
📖 Read
via "National Vulnerability Database".
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28101 ‼
📖 Read
via "National Vulnerability Database".
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27040 ‼
📖 Read
via "National Vulnerability Database".
Simple Image Gallery v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the username parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28104 ‼
📖 Read
via "National Vulnerability Database".
`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28110 ‼
📖 Read
via "National Vulnerability Database".
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8.📖 Read
via "National Vulnerability Database".