βΌ CVE-2023-25885 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28626 βΌ
π Read
via "National Vulnerability Database".
comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A range of quadratic parsing issues are present in Comrak. These can be used to craft denial-of-service attacks on services that use Comrak to parse Markdown. This issue has been addressed in version 0.17.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-047`π Read
via "National Vulnerability Database".
βΌ CVE-2023-25906 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20903 βΌ
π Read
via "National Vulnerability Database".
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).π Read
via "National Vulnerability Database".
βΌ CVE-2023-28631 βΌ
π Read
via "National Vulnerability Database".
comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with `parse_document`. This AST can then be converted to HTML via `html::format_document_with_plugins`. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain `[u8]` fields which the formatting code assumes is valid UTF-8 data. Several bugs can be triggered if this is not the case. Version 0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays. Users are advised to upgrade. Users unable to upgrade may manually validate UTF-8 correctness of all data when assigning to `&[u8]` and `Vec<u8>` fields in the AST. This issue is also tracked as `GHSL-2023-049`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27394 βΌ
π Read
via "National Vulnerability Database".
Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28103 βΌ
π Read
via "National Vulnerability Database".
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26344 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28447 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25891 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28427 βΌ
π Read
via "National Vulnerability Database".
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28637 βΌ
π Read
via "National Vulnerability Database".
DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28654 βΌ
π Read
via "National Vulnerability Database".
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28375 βΌ
π Read
via "National Vulnerability Database".
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Using a GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26346 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
π’ What is cloud ransomware and how can you avoid attacks? π’
π Read
via "ITPro".
With ransomware increasingly targeting cloud applications and data, as well as cloud-based companies, we explain how you can protect your businessπ Read
via "ITPro".
Cloud Pro
What is cloud ransomware and how can you avoid attacks?
With ransomware increasingly targeting cloud applications and data, as well as cloud-based companies, we explain how you can protect your business
π’ Organisations could soon be using generative AI to prevent phishing attacks π’
π Read
via "ITPro".
Training an AI to learn a CEO's writing style could prevent the next big cyber attackπ Read
via "ITPro".
ITPro
Organisations could soon be using generative AI to prevent phishing attacks
Training an AI to learn a CEO's writing style could prevent the next big cyber attack
π’ AdRem NetCrunch 13 review: Great network monitoring for time-poor SMBs π’
π Read
via "ITPro".
Easily deployed and affordable network monitoring for SMBs with a range of highly informative viewpointsπ Read
via "ITPro".
ITPro
AdRem NetCrunch 13 review: Great network monitoring for time-poor SMBs
Easily deployed and affordable network monitoring for SMBs with a range of highly informative viewpoints
π’ Latitude Financial's data policies questioned after more than 14 million records stolen π’
π Read
via "ITPro".
Some of the data is from at least 2005 and includes customersβ name, address, and date of birthπ Read
via "ITPro".
ITPro
Latitude Financial's data policies questioned after more than 14 million records stolen
Some of the data is from at least 2005 and includes customersβ name, address, and date of birth
π’ Microsoft set to block emails from unsupported Exchange servers π’
π Read
via "ITPro".
The tech giants described emails coming from these servers as βpersistently vulnerableβ and is aiming to encourage admins to secure their environmentsπ Read
via "ITPro".
ITPro
Microsoft set to block emails from unsupported Exchange servers
The tech giants described emails coming from these servers as βpersistently vulnerableβ and is aiming to encourage admins to secure their environments
π’ UK snares "several thousand" potential hackers in DDoS-for-hire honeypot π’
π Read
via "ITPro".
The sting follows a recent crackdown on DDoS-for-hire services globallyπ Read
via "ITPro".
ITPro
UK crime fighters wrangle βseveral thousandβ potential cyber criminals in DDoS-for-hire honeypot
The sting follows a recent crackdown on DDoS-for-hire services globally