βΌ CVE-2022-4939 βΌ
π Read
via "National Vulnerability Database".
THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can then register as an administrator.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20134 βΌ
π Read
via "National Vulnerability Database".
Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or upload arbitrary files as recordings. For more information about these vulnerabilities, see the Details section of this advisory.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1522 βΌ
π Read
via "National Vulnerability Database".
SQL Injection in the Hardware Inventory report of Security Center 5.11.2.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20145 βΌ
π Read
via "National Vulnerability Database".
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device and then persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has not released software updates that address these vulnerabilities.π Read
via "National Vulnerability Database".
π΄ Garage Door Openers Open to Hijacking, Thanks to Unpatched Security Vulns π΄
π Read
via "Dark Reading".
CISA is advising Nexx customers to unplug impacted devices until the security issues are addressed β but so far, it's crickets as to patch timeline.π Read
via "Dark Reading".
Dark Reading
Garage Door Openers Open to Hijacking, Thanks to Unpatched Security Vulns
CISA is advising Nexx customers to unplug impacted devices until the security issues are addressed β but so far, it's crickets as to patch timeline.
π΄ BlackBerry Introduces Integrated Solution to Assure Secure Bi-Directional Response Communications During Cyber Incidents π΄
π Read
via "Dark Reading".
BlackBerry integrates award-winning CylanceGUARD and BlackBerry AtHoc technologies for "combat-ready" cyber event continuity planning and response.π Read
via "Dark Reading".
Dark Reading
BlackBerry Introduces Integrated Solution to Assure Secure Bi-Directional Response Communications During Cyber Incidents
BlackBerry integrates award-winning CylanceGUARD and BlackBerry AtHoc technologies for "combat-ready" cyber event continuity planning and response.
βΌ CVE-2023-1167 βΌ
π Read
via "National Vulnerability Database".
Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1710 βΌ
π Read
via "National Vulnerability Database".
A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24747 βΌ
π Read
via "National Vulnerability Database".
Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1071 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3375 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1733 βΌ
π Read
via "National Vulnerability Database".
A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0967 βΌ
π Read
via "National Vulnerability Database".
Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0838 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1708 βΌ
π Read
via "National Vulnerability Database".
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-3513 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0944 βΌ
π Read
via "National Vulnerability Database".
Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0450 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-24720 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in readium-js v0.32.0 allows attackers to execute arbitrary code via uploading a crafted EPUB file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0842 βΌ
π Read
via "National Vulnerability Database".
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.π Read
via "National Vulnerability Database".