βΌ CVE-2022-42333 βΌ
π Read
via "National Vulnerability Database".
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).π Read
via "National Vulnerability Database".
βΌ CVE-2023-27874 βΌ
π Read
via "National Vulnerability Database".
IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25689 βΌ
π Read
via "National Vulnerability Database".
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1 , and 4.1.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 247618.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27873 βΌ
π Read
via "National Vulnerability Database".
IBM Aspera Faspex 4.4.2 could allow a remote authenticated attacker to obtain sensitive credential information using specially crafted XML input. IBM X-Force ID: 249654.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27842 βΌ
π Read
via "National Vulnerability Database".
Insecure Permissions vulnerability found in Extplorer File manager eXtplorer v.2.1.15 allows a remote attacker to execute arbitrary code via the index.php compenentπ Read
via "National Vulnerability Database".
βΌ CVE-2023-27983 βΌ
π Read
via "National Vulnerability Database".
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow deletion of reports from the IGSS project report directory, this would lead to loss of data when an attacker abuses this functionality. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).π Read
via "National Vulnerability Database".
βΌ CVE-2023-25687 βΌ
π Read
via "National Vulnerability Database".
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an authenticated user to obtain sensitive information from log files. IBM X-Force ID: 247602.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27871 βΌ
π Read
via "National Vulnerability Database".
IBM Aspera Faspex 4.4.2 could allow a remote attacker to obtain sensitive credential information for an external user, using a specially crafted SQL query. IBM X-Force ID: 249613.π Read
via "National Vulnerability Database".
π΄ Name That Toon: It's E-Live! π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: It's E-Live!
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
β Bitcoin ATM customers hacked by video upload that was actually an app β
π Read
via "Naked Security".
As the misquote goes, "Once is misfortune..." This is the second time, and you know what Lady Bracknell had to say about that...π Read
via "Naked Security".
Naked Security
Bitcoin ATM customers hacked by video upload that was actually an app
As the misquote goes, βOnce is misfortuneβ¦β This is the second time, and you know what Lady Bracknell had to say about thatβ¦
β Google Pixel phones had a serious data leakage bug β hereβs what to do! β
π Read
via "Naked Security".
What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?π Read
via "Naked Security".
Naked Security
Google Pixel phones had a serious data leakage bug β hereβs what to do!
What if the βsafeβ images you shared after carefully cropping themβ¦ had some or all of the βunsafeβ pixels left behind anyway?
π OpenSSL Toolkit 3.1.0 π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.1.x series is the current major version of OpenSSL.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 3.1.0 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2023-1304 βΌ
π Read
via "National Vulnerability Database".
An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27570 βΌ
π Read
via "National Vulnerability Database".
The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45635 βΌ
π Read
via "National Vulnerability Database".
An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to gain access to sensitive account information via insecure password policy.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25686 βΌ
π Read
via "National Vulnerability Database".
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 247601.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45637 βΌ
π Read
via "National Vulnerability Database".
An insecure password reset issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 service via insecure expiry mechanism.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25684 βΌ
π Read
via "National Vulnerability Database".
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 247597.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25923 βΌ
π Read
via "National Vulnerability Database".
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. IBM X-Force ID: 247629.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27569 βΌ
π Read
via "National Vulnerability Database".
The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1305 βΌ
π Read
via "National Vulnerability Database".
An authenticated attacker can leverage an exposed Γ’β¬ΕboxΓ’β¬οΏ½ object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.π Read
via "National Vulnerability Database".