βΌ CVE-2023-25196 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract. Authorized users may be able to change or add data in certain components. This issue affects Apache Fineract: from 1.4 through 1.8.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47529 βΌ
π Read
via "National Vulnerability Database".
Insecure Win32 memory objects in Endpoint Windows Agents in RSA NetWitness Platform before 12.2 allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.π Read
via "National Vulnerability Database".
π Global Socket 1.4.40 π
π Read
via "Packet Storm Security".
Global Socket is a tool for moving data from here to there, securely, fast, and through NAT and firewalls. It uses the Global Socket Relay Network to connect TCP pipes, has end-to-end encryption (using OpenSSL's SRP / RFC-5054), AES-256 and key exchange using 4096-bit Prime, requires no PKI, has Perfect Forward Secrecy, and TOR support.π Read
via "Packet Storm Security".
Packetstormsecurity
Global Socket 1.4.40 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π΄ Hey, Siri: Hackers Can Control Smart Devices Using Inaudible Sounds π΄
π Read
via "Dark Reading".
A technique, dubbed the "Near-Ultrasound Inaudible Trojan" (NUIT), allows an attacker to exploit smartphones and smart speakers over the Internet, using sounds undetectable by humans.π Read
via "Dark Reading".
Dark Reading
Hey, Siri: Hackers Can Control Smart Devices Using Inaudible Sounds
A technique, dubbed the "Near-Ultrasound Inaudible Trojan" (NUIT), allows an attacker to exploit smartphones and smart speakers over the Internet, using sounds undetectable by humans.
β€1
βΌ CVE-2023-0465 βΌ
π Read
via "National Vulnerability Database".
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-27008 βΌ
π Read
via "National Vulnerability Database".
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3685 βΌ
π Read
via "National Vulnerability Database".
A vulnerability exists in the SDM600 software. The software operates at a privilege level that is higher than the minimum level required. An attacker who successfully exploits this vulnerability can escalate privileges. This issue affects: All SDM600 versions prior to version 1.3.0. List of CPEs: * cpe:2.3:a:hitachienergy:sdm600:1.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.1:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.9002.257:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.10002.257:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.11002.149:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.12002.222:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.13002.72:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.44:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.92:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.108:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.182:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.257:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.342:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.447:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.481:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.506:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.14002.566:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.20000.3174:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.291:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.931:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.21000.105:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.2.23000.291:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:sdm600:1.3.0.1339:*:*:*:*:*:*:*π Read
via "National Vulnerability Database".
βΌ CVE-2023-0466 βΌ
π Read
via "National Vulnerability Database".
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27701 βΌ
π Read
via "National Vulnerability Database".
MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25260 βΌ
π Read
via "National Vulnerability Database".
Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26923 βΌ
π Read
via "National Vulnerability Database".
Musescore 3.0 to 4.0.1 has a stack buffer overflow vulnerability that occurs when reading misconfigured midi files. If attacker can additional information, attacker can execute arbitrary code.π Read
via "National Vulnerability Database".
β Cops use fake DDoS services to take aim at wannabe cybercriminals β
π Read
via "Naked Security".
Thinking of trying a bit of DDoSsing to get a feel for life at the fringes of the Dark Side? Don't do it!π Read
via "Naked Security".
Naked Security
Cops use fake DDoS services to take aim at wannabe cybercriminals
Thinking of trying a bit of DDoSsing to get a feel for life at the fringes of the Dark Side? Donβt do it!
β Apple patches everything, including a zero-day fix for iOS 15 users β
π Read
via "Naked Security".
Got an older iPhone that can't run iOS 16? You've got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT π΄
π Read
via "Dark Reading".
In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.π Read
via "Dark Reading".
Dark Reading
North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43
In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.
βοΈ UK Sets Up Fake Booter Sites To Muddy DDoS Market βοΈ
π Read
via "Krebs on Security".
The United Kingdom's National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services. π Read
via "Krebs on Security".
Krebs on Security
UK Sets Up Fake Booter Sites To Muddy DDoS Market
The United Kingdom's National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people lookingβ¦
βΌ CVE-2023-0775 βΌ
π Read
via "National Vulnerability Database".
An invalid Γ’β¬Λprepare write requestΓ’β¬β’ command can cause the Bluetooth LE stack to run out of memory and fail to be able to handle subsequent connection requests, resulting in a denial-of-service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27821 βΌ
π Read
via "National Vulnerability Database".
Databasir v1.0.7 was discovered to contain a remote code execution (RCE) vulnerability via the mockDataScript parameter.π Read
via "National Vulnerability Database".
π΄ Bitwarden Announces Secrets Management With a Combination of Open Source, End-to-End Encryption, and Ease of Use π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Bitwarden Announces Secrets Management With a Combination of Open Source, End-to-End Encryption, and Ease of Use
SANTA BARBARA, Calif.-- (March 28, 2023) -- Bitwarden, the leading open source password manager trusted by millions, today launched the open beta of Bitwarden Secrets Manager, designed to centrally secure and manage highly sensitive authentication credentialsβ¦
π΄ Millions of Pen Tests Show Companies' Security Postures Are Getting Worse π΄
π Read
via "Dark Reading".
A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.π Read
via "Dark Reading".
Dark Reading
Millions of Pen Tests Show Companies' Security Postures Are Getting Worse
A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.
βΌ CVE-2023-27247 βΌ
π Read
via "National Vulnerability Database".
An issue in Cynet Client Agent v4.6.0.8010 allows attackers with Administrator rights to disable the EDR functions via disabling process privilege tokens.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27246 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in the Virtual Disk of MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted .htaccess file.π Read
via "National Vulnerability Database".