‼ CVE-2023-28837 ‼
📖 Read
via "National Vulnerability Database".
Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.📖 Read
via "National Vulnerability Database".
🕴 Data Breach Strikes Western Digital 🕴
📖 Read
via "Dark Reading".
The company behind digital storage brand SanDisk says its systems were compromised on March 26.📖 Read
via "Dark Reading".
Dark Reading
Data Breach Strikes Western Digital
The company behind digital storage brand SanDisk says its systems were compromised on March 26.
‼ CVE-2022-43771 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-4771 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43939 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28854 ‼
📖 Read
via "National Vulnerability Database".
nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43772 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4769 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28851 ‼
📖 Read
via "National Vulnerability Database".
Silverstripe Form Capture provides a method to capture simple silverstripe forms and an admin interface for users. Starting in version 0.2.0 and prior to versions 1.0.2, 1.1.0, 2.2.5, and 3.1.1, improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack. The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4770 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3960 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43773 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43940 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28850 ‼
📖 Read
via "National Vulnerability Database".
Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43769 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43938 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43941 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.📖 Read
via "National Vulnerability Database".
🕴 For Cybercrime Gangs, Professionalization Comes With 'Corporate' Headaches 🕴
📖 Read
via "Dark Reading".
They rake in millions, but now, as much as zero-days and ransoms, cybercriminals are dealing with management structures and overhead.📖 Read
via "Dark Reading".
Dark Reading
For Cybercrime Gangs, Professionalization Comes With 'Corporate' Headaches
They rake in millions, but now, as much as zero-days and ransoms, cybercriminals are dealing with management structures and overhead.
🕴 DoJ Recovers $112M in Crypto Stolen With Romance Scams 🕴
📖 Read
via "Dark Reading".
Authorities claw back funds from six crypto accounts they say were linked to a "pig-butchering" cybercrime ring.📖 Read
via "Dark Reading".
Dark Reading
DoJ Recovers $112M in Crypto Stolen With Romance Scams
Authorities claw back funds from six crypto accounts they say were linked to a "pig-butchering" cybercrime ring.
‼ CVE-2023-29218 ‼
📖 Read
via "National Vulnerability Database".
The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0922 ‼
📖 Read
via "National Vulnerability Database".
The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.📖 Read
via "National Vulnerability Database".