βΌ CVE-2023-28631 βΌ
π Read
via "National Vulnerability Database".
comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with `parse_document`. This AST can then be converted to HTML via `html::format_document_with_plugins`. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain `[u8]` fields which the formatting code assumes is valid UTF-8 data. Several bugs can be triggered if this is not the case. Version 0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays. Users are advised to upgrade. Users unable to upgrade may manually validate UTF-8 correctness of all data when assigning to `&[u8]` and `Vec<u8>` fields in the AST. This issue is also tracked as `GHSL-2023-049`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27394 βΌ
π Read
via "National Vulnerability Database".
Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28103 βΌ
π Read
via "National Vulnerability Database".
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26344 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28447 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25891 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28427 βΌ
π Read
via "National Vulnerability Database".
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28637 βΌ
π Read
via "National Vulnerability Database".
DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28654 βΌ
π Read
via "National Vulnerability Database".
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28375 βΌ
π Read
via "National Vulnerability Database".
Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Using a GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26346 βΌ
π Read
via "National Vulnerability Database".
Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
π’ What is cloud ransomware and how can you avoid attacks? π’
π Read
via "ITPro".
With ransomware increasingly targeting cloud applications and data, as well as cloud-based companies, we explain how you can protect your businessπ Read
via "ITPro".
Cloud Pro
What is cloud ransomware and how can you avoid attacks?
With ransomware increasingly targeting cloud applications and data, as well as cloud-based companies, we explain how you can protect your business
π’ Organisations could soon be using generative AI to prevent phishing attacks π’
π Read
via "ITPro".
Training an AI to learn a CEO's writing style could prevent the next big cyber attackπ Read
via "ITPro".
ITPro
Organisations could soon be using generative AI to prevent phishing attacks
Training an AI to learn a CEO's writing style could prevent the next big cyber attack
π’ AdRem NetCrunch 13 review: Great network monitoring for time-poor SMBs π’
π Read
via "ITPro".
Easily deployed and affordable network monitoring for SMBs with a range of highly informative viewpointsπ Read
via "ITPro".
ITPro
AdRem NetCrunch 13 review: Great network monitoring for time-poor SMBs
Easily deployed and affordable network monitoring for SMBs with a range of highly informative viewpoints
π’ Latitude Financial's data policies questioned after more than 14 million records stolen π’
π Read
via "ITPro".
Some of the data is from at least 2005 and includes customersβ name, address, and date of birthπ Read
via "ITPro".
ITPro
Latitude Financial's data policies questioned after more than 14 million records stolen
Some of the data is from at least 2005 and includes customersβ name, address, and date of birth
π’ Microsoft set to block emails from unsupported Exchange servers π’
π Read
via "ITPro".
The tech giants described emails coming from these servers as βpersistently vulnerableβ and is aiming to encourage admins to secure their environmentsπ Read
via "ITPro".
ITPro
Microsoft set to block emails from unsupported Exchange servers
The tech giants described emails coming from these servers as βpersistently vulnerableβ and is aiming to encourage admins to secure their environments
π’ UK snares "several thousand" potential hackers in DDoS-for-hire honeypot π’
π Read
via "ITPro".
The sting follows a recent crackdown on DDoS-for-hire services globallyπ Read
via "ITPro".
ITPro
UK crime fighters wrangle βseveral thousandβ potential cyber criminals in DDoS-for-hire honeypot
The sting follows a recent crackdown on DDoS-for-hire services globally
π’ Ex-NCSC CEO on the next big ransomware threat π’
π Read
via "ITPro".
Despite a devastating few years for cyber security, the former NCSC CEO Ciaran Martin is confident that businesses have learned critical lessonsπ Read
via "ITPro".
ITPro
Former NCSC chief Ciaran Martin pinpoints critical national infrastructure (CNI) as the next big ransomware target
Despite a devastating few years for cyber security, the former NCSC CEO Ciaran Martin is confident that businesses have learned critical lessons
βΌ CVE-2022-45460 βΌ
π Read
via "National Vulnerability Database".
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow an unauthenticated and remote user to exploit a stack-based buffer overflow and crash the web server, resulting in a system reboot. An unauthenticated and remote attacker can execute arbitrary code by sending a crafted HTTP request that triggers the overflow condition via a long URI passed to a sprintf call. NOTE: this is different than CVE-2018-10088, but this may overlap CVE-2017-16725.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1679 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in DriverGenius 9.70.0.346. This vulnerability affects the function 0x9C406104/0x9C40A108 in the library mydrivers64.sys of the component IOCTL Handler. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224236.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1678 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in DriverGenius 9.70.0.346. This affects the function 0x9C40A0D8/0x9C40A0DC/0x9C40A0E0 in the library mydrivers64.sys of the component IOCTL Handler. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224235.π Read
via "National Vulnerability Database".