βΌ CVE-2023-25862 βΌ
π Read
via "National Vulnerability Database".
Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22258 βΌ
π Read
via "National Vulnerability Database".
Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27754 βΌ
π Read
via "National Vulnerability Database".
vox2mesh 1.0 has stack-overflow in main.cpp, this is stack-overflow caused by incorrect use of memcpy() funciton. The flow allows an attacker to cause a denial of service (abort) via a crafted file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22256 βΌ
π Read
via "National Vulnerability Database".
Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1573 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in DataGear up to 1.11.1 and classified as problematic. This issue affects some unknown processing of the component Graph Dataset Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.12.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-223565 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26426 βΌ
π Read
via "National Vulnerability Database".
Illustrator version 26.5.2 (and earlier) and 27.2.0 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21615 βΌ
π Read
via "National Vulnerability Database".
Experience Manager versions 6.5.15.0 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3938 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22265 βΌ
π Read
via "National Vulnerability Database".
Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.π Read
via "National Vulnerability Database".
π΄ XM Cyber Announces Acquisition of Confluera, Adding Run-Time Protection on Cloud Workloads π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
XM Cyber Announces Acquisition of Confluera, Adding Run-Time Protection on Cloud Workloads
HERZLIYA, Israel and PALO ALTO, Calif., March 22, 2023 /PRNewswire/ -- XM Cyber, the leader in hybrid cloud security, announced today the acquisition of Confluera, a pioneer in next-generation cyber attack detection and response for the cloud. XM Cyber nowβ¦
π΄ Vectra Unifies AI-Driven Behavior-Based Detection and Signature-Based Detection π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Vectra Unifies AI-Driven Behavior-Based Detection and Signature-Based Detection
SAN JOSE, Calif., March 22, 2023 /PRNewswire/ -- Vectra AI, the leader in AI-driven hybrid cloud threat detection and response, today announced the introduction of Vectra Match. Vectra Match brings intrusion detection signature context to Vectra Network Detectionβ¦
π΄ Lightspin Launches Remediation Hub to Identify and Fix Cloud Security Threats π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Lightspin Launches Remediation Hub to Identify and Fix Cloud Security Threats
NEW YORK , March 22, 2023 /PRNewswire/ -- Lightspin, the leading cloud security solution for SaaS companies, today launched the Remediation Hub as part of its cloud-native application protection platform (CNAPP) solution. An evolution of Lightspin's rootβ¦
π΄ CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure π΄
π Read
via "Dark Reading".
The advisory comes the same week as a warning from the EU's ENISA about potential for ransomware attacks on OT systems in the transportation sector.π Read
via "Dark Reading".
Dark Reading
CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure
The advisory comes the same week as a warning from the EU's ENISA about potential for ransomware attacks on OT systems in the transportation sector.
βΌ CVE-2023-28659 βΌ
π Read
via "National Vulnerability Database".
The Waiting: One-click Countdowns WordPress Plugin, version <= 0.6.2, is affected by an authenticated SQL injection vulnerability in the pbc_down[meta][id] parameter of the pbc_save_downs action.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28434 βΌ
π Read
via "National Vulnerability Database".
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28660 βΌ
π Read
via "National Vulnerability Database".
The Events Made Easy WordPress Plugin, version <= 2.3.14 is affected by an authenticated SQL injection vulnerability in the 'search_name' parameter in the eme_recurrences_list action.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28665 βΌ
π Read
via "National Vulnerability Database".
The Woo Bulk Price Update WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'page' parameter to the techno_get_products action, which can only be triggered by an authenticated user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28117 βΌ
π Read
via "National Vulnerability Database".
Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28666 βΌ
π Read
via "National Vulnerability Database".
The InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'imgurl' parameter to the add_inpost_gallery_slide_item action, which can only be triggered by an authenticated user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27224 βΌ
π Read
via "National Vulnerability Database".
An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45003 βΌ
π Read
via "National Vulnerability Database".
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.π Read
via "National Vulnerability Database".