π΄ MITRE Rolls Out Supply Chain Security Prototype π΄
π Read
via "Dark Reading".
Cloud-based System of Trust application now available for test-driving quantitative risk assessment of suppliers of hardware, software, services.π Read
via "Dark Reading".
Dark Reading
MITRE Rolls Out Supply Chain Security Prototype
Cloud-based System of Trust application now available for test-driving quantitative risk assessment of suppliers of hardware, software, services.
π΄ Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals π΄
π Read
via "Dark Reading".
Enterprise storage devices have 14 security weaknesses on average, putting them at risk of compromise by cyberattackers and especially ransomware attacks.π Read
via "Dark Reading".
Dark Reading
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals
Enterprise storage devices have 14 security weaknesses on average, putting them at risk of compromise by cyberattackers and especially ransomware attacks.
π΄ The Board of Directors Will See You Now π΄
π Read
via "Dark Reading".
Help the board understand where the business is vulnerable, where controls end, and where exposure begins.π Read
via "Dark Reading".
Dark Reading
The Board of Directors Will See You Now
Help the board understand where the business is vulnerable, where controls end, and where exposure begins.
β S3 Ep127: When you chop someone out of a photo, but there they are anywayβ¦ β
π Read
via "Naked Security".
Listen now - latest episode. Full transcript inside.π Read
via "Naked Security".
Naked Security
S3 Ep127: When you chop someone out of a photo, but there they are anywayβ¦
Listen now β latest episode. Full transcript inside.
βΌ CVE-2023-20055 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the management API of Cisco DNA Center could allow an authenticated, remote attacker to elevate privileges in the context of the web-based management interface on an affected device. This vulnerability is due to the unintended exposure of sensitive information. An attacker could exploit this vulnerability by inspecting the responses from the API. Under certain circumstances, a successful exploit could allow the attacker to access the API with the privileges of a higher-level user account. To successfully exploit this vulnerability, the attacker would need at least valid Observer credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47145 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in Blockonomics WordPress Bitcoin Payments Γ’β¬β Blockonomics plugin <= 3.5.7 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28610 βΌ
π Read
via "National Vulnerability Database".
The update process in OMICRON StationGuard and OMICRON StationScout before 2.21 can be exploited by providing a modified firmware update image. This allows a remote attacker to gain root access to the system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20097 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Cisco access points (AP) software could allow an authenticated, local attacker to inject arbitrary commands and execute them with root privileges. This vulnerability is due to improper input validation of commands that are issued from a wireless controller to an AP. An attacker with Administrator access to the CLI of the controller could exploit this vulnerability by issuing a command with crafted arguments. A successful exploit could allow the attacker to gain full root access on the AP.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20072 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the fragmentation handling code of tunnel protocol packets in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected system to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of large fragmented tunnel protocol packets. One example of a tunnel protocol is Generic Routing Encapsulation (GRE). An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system. A successful exploit could allow the attacker to cause the affected system to reload, resulting in a DoS condition. Note: Only traffic directed to the affected system can be used to exploit this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20065 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the Cisco IOx application hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insufficient restrictions on the hosted application. An attacker could exploit this vulnerability by logging in to and then escaping the Cisco IOx application container. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20113 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28496 βΌ
π Read
via "National Vulnerability Database".
TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 discovered to contain a command injection vulnerability in the setPasswordCfg function via the adminuser and adminpassparameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20112 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of certain parameters within 802.11 frames. An attacker could exploit this vulnerability by sending a wireless 802.11 association request frame with crafted parameters to an affected device. A successful exploit could allow the attacker to cause an unexpected reload of an affected device, resulting in a DoS condition.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20027 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the implementation of the IPv4 Virtual Fragmentation Reassembly (VFR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper reassembly of large packets that occurs when VFR is enabled on either a tunnel interface or on a physical interface that is configured with a maximum transmission unit (MTU) greater than 4,615 bytes. An attacker could exploit this vulnerability by sending fragmented packets through a VFR-enabled interface on an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20100 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the access point (AP) joining process of the Control and Provisioning of Wireless Access Points (CAPWAP) protocol of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a logic error that occurs when certain conditions are met during the AP joining process. An attacker could exploit this vulnerability by adding an AP that is under their control to the network. The attacker then must ensure that the AP successfully joins an affected wireless controller under certain conditions. Additionally, the attacker would need the ability to restart a valid AP that was previously connected to the controller. A successful exploit could allow the attacker to cause the affected device to restart unexpectedly, resulting in a DoS condition.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28497 βΌ
π Read
via "National Vulnerability Database".
TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the mtd_write_bootloader function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20066 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform a directory traversal and access resources that are outside the filesystem mountpoint of the web UI. This vulnerability is due to an insufficient security configuration. An attacker could exploit this vulnerability by sending a crafted request to the web UI. A successful exploit could allow the attacker to gain read access to files that are outside the filesystem mountpoint of the web UI. Note: These files are located on a restricted filesystem that is maintained for the web UI. There is no ability to write to any files on this filesystem.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20035 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges. This vulnerability is due to insufficient input validation by the system CLI. An attacker with privileges to run commands could exploit this vulnerability by first authenticating to an affected device using either local terminal access or a management shell interface and then submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system. Note: For additional information about specific impacts, see the Details section of this advisory.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26008 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay D'Souza Top 10 Γ’β¬β Popular posts plugin for WordPress plugin <= 3.2.4 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20107 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the deterministic random bit generator (DRBG), also known as pseudorandom number generator (PRNG), in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco ASA 5506-X, ASA 5508-X, and ASA 5516-X Firewalls could allow an unauthenticated, remote attacker to cause a cryptographic collision, enabling the attacker to discover the private key of an affected device. This vulnerability is due to insufficient entropy in the DRBG for the affected hardware platforms when generating cryptographic keys. An attacker could exploit this vulnerability by generating a large number of cryptographic keys on an affected device and looking for collisions with target devices. A successful exploit could allow the attacker to impersonate an affected target device or to decrypt traffic secured by an affected key that is sent to or from an affected target device.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25456 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Klaviyo, Inc. Klaviyo plugin <= 3.0.7 versions.π Read
via "National Vulnerability Database".