โผ CVE-2023-29801 โผ
๐ Read
via "National Vulnerability Database".
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabilities via the rtLogEnabled and rtLogServer parameters in the setSyslogCfg function.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-3748 โผ
๐ Read
via "National Vulnerability Database".
Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.This issue affects Access Management: from 6.5.0 through 7.2.0.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2059 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was found in DedeCMS 5.7.87. It has been rated as problematic. Affected by this issue is some unknown functionality of the file uploads/include/dialog/select_templets.php. The manipulation leads to path traversal: '..\filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225944.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-28091 โผ
๐ Read
via "National Vulnerability Database".
HPE OneView virtual appliance "Migrate server hardware" option may expose sensitive information in an HPE OneView support dump๐ Read
via "National Vulnerability Database".
โผ CVE-2022-45175 โผ
๐ Read
via "National Vulnerability Database".
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-29847 โผ
๐ Read
via "National Vulnerability Database".
AeroCMS v0.0.1 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the comment_author and comment_content parameters at /post.php. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via a crafted payload.๐ Read
via "National Vulnerability Database".
โ S3 Ep130: Open the garage bay doors, HAL [Audio + Text] โ
๐ Read
via "Naked Security".
I'm sorry, Dave. I'm afraid I can't... errr, no, hang on a minute, I can do that easily! Worldwide! Right now!๐ Read
via "Naked Security".
Naked Security
S3 Ep130: Open the garage bay doors, HAL [Audio + Text]
Iโm sorry, Dave. Iโm afraid I canโtโฆ errr, no, hang on a minute, I can do that easily! Worldwide! Right now!
๐ฅ1
๐ด Western Digital Hackers Demand 8-Figure Ransom Payment for Data ๐ด
๐ Read
via "Dark Reading".
Western Digital has yet to comment on claims that the breach reported earlier this month led to data being stolen.๐ Read
via "Dark Reading".
Dark Reading
Western Digital Hackers Demand 8-Figure Ransom Payment for Data
Western Digital has yet to comment on claims that the breach reported earlier this month led to data being stolen.
โผ CVE-2022-47501 โผ
๐ Read
via "National Vulnerability Database".
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is aร pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.๐ Read
via "National Vulnerability Database".
๐ด Security Is a Revenue Booster, Not a Cost Center ๐ด
๐ Read
via "Dark Reading".
Focusing on what customers and partners need from a company can help CISOs show the real financial benefits of improving cybersecurity.๐ Read
via "Dark Reading".
Dark Reading
Security Is a Revenue Booster, Not a Cost Center
Focusing on what customers and partners need from a company can help CISOs show the real financial benefits of improving cybersecurity.
๐ด Software-Dependency Data Delivers Security to Developers ๐ด
๐ Read
via "Dark Reading".
Google has opened up its software-dependency database, adding to the security data available to developers and tool makers. Now developers need to use it.๐ Read
via "Dark Reading".
Dark Reading
Software-Dependency Data Delivers Security to Developers
Google has opened up its software-dependency database, adding to the security data available to developers and toolmakers. Now developers need to use it.
๐ด Why xIoT Devices Are Cyberattackers' Gateway Drug for Lateral Movement ๐ด
๐ Read
via "Dark Reading".
Detailing how extended IoT (xIoT) devices can be used at scale by attackers to establish persistence across networks and what enterprises should start doing about the risk.๐ Read
via "Dark Reading".
Dark Reading
Why xIoT Devices Are Cyberattackers' Gateway Drug for Lateral Movement
Detailing how extended IoT (xIoT) devices can be used at scale by attackers to establish persistence across networks and what enterprises should start doing about the risk.
โผ CVE-2023-29067 โผ
๐ Read
via "National Vulnerability Database".
A maliciously crafted X_B file when parsed through Autodeskรยฎ AutoCADรยฎ 2023 could lead to memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27915 โผ
๐ Read
via "National Vulnerability Database".
A maliciously crafted X_B file when parsed through Autodeskรยฎ AutoCADรยฎ 2023 could lead to memory corruption vulnerability by read access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-29529 โผ
๐ Read
via "National Vulnerability Database".
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27914 โผ
๐ Read
via "National Vulnerability Database".
A maliciously crafted X_B file when parsed through Autodeskรยฎ AutoCADรยฎ 2023 can be used to write beyond the allocated buffer causing a Stack Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code in the context of the current process.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27912 โผ
๐ Read
via "National Vulnerability Database".
A maliciously crafted X_B file when parsed through Autodeskรยฎ AutoCADรยฎ 2023 can force an Out-of-Bound Read. A malicious actor can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code in the context of the current process.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-29018 โผ
๐ Read
via "National Vulnerability Database".
The OpenFeature Operator allows users to expose feature flags to applications. Assuming the pre-existence of a vulnerability that allows for arbitrary code execution, an attacker could leverage the lax permissions configured on `open-feature-operator-controller-manager` to escalate the privileges of any SA in the cluster. The increased privileges could be used to modify cluster state, leading to DoS, or read sensitive data, including secrets. Version 0.2.32 mitigates this issue by restricting the resources the `open-feature-operator-controller-manager` can modify.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-29013 โผ
๐ Read
via "National Vulnerability Database".
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2073 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was found in Campcodes Online Traffic Offense Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /classes/Login.php. The manipulation of the argument password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-226051.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-29199 โผ
๐ Read
via "National Vulnerability Database".
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.๐ Read
via "National Vulnerability Database".