βΌ CVE-2023-22946 βΌ
π Read
via "National Vulnerability Database".
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications. Update to Apache Spark 3.4.0 or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30771 βΌ
π Read
via "National Vulnerability Database".
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30770 βΌ
π Read
via "National Vulnerability Database".
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24831 βΌ
π Read
via "National Vulnerability Database".
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2017 βΌ
π Read
via "National Vulnerability Database".
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.π Read
via "National Vulnerability Database".
π’ Build vs. buy: Is managing Customer Identity slowing your time to market? π’
π Read
via "ITPro".
Why identity should be top of mindπ Read
via "ITPro".
ITPro
Build vs. buy: Is managing Customer Identity slowing your time to market?
Why identity should be top of mind
π΄ Top 5 Data Security RSAC 2023 Sessions to Attend π΄
π Read
via "Dark Reading".
A little preconference reconnoitering of upcoming seminars, keynotes, and track sessions makes plotting your days easier. Here's one attendee's list.π Read
via "Dark Reading".
Dark Reading
Top 5 Data Security RSAC 2023 Sessions to Attend
A little preconference reconnoitering of upcoming seminars, keynotes, and track sessions makes plotting your days easier. Here's one attendee's list.
β FBI and FCC warn about βJuicejackingβ β but just how useful is their advice? β
π Read
via "Naked Security".
USB charging stations - can you trust them? What are the real risks, and how can you keep your data safe on the road?π Read
via "Naked Security".
Naked Security
FBI and FCC warn about βJuicejackingβ β but just how useful is their advice?
USB charging stations β can you trust them? What are the real risks, and how can you keep your data safe on the road?
βΌ CVE-2023-1331 βΌ
π Read
via "National Vulnerability Database".
The Redirection WordPress plugin before 1.1.5 does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27844 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability found in PrestaShopleurlrewrite v.1.0 and before allow a remote attacker to gain privileges via the Dispatcher::getController component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0277 βΌ
π Read
via "National Vulnerability Database".
The WC Fields Factory WordPress plugin through 4.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as adminπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0765 βΌ
π Read
via "National Vulnerability Database".
The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0764 βΌ
π Read
via "National Vulnerability Database".
The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The attacker must have at least the privileges of the Author role.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1473 βΌ
π Read
via "National Vulnerability Database".
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin 3.29.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1427 βΌ
π Read
via "National Vulnerability Database".
- The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1282 βΌ
π Read
via "National Vulnerability Database".
The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44726 βΌ
π Read
via "National Vulnerability Database".
The TouchDown Timesheet tracking component 4.1.4 for Jira allows XSS in the calendar view.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1274 βΌ
π Read
via "National Vulnerability Database".
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1413 βΌ
π Read
via "National Vulnerability Database".
The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1723 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veragroup Mobile Assistant allows SQL Injection.This issue affects Mobile Assistant: before 21.S.2343.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1371 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access themπ Read
via "National Vulnerability Database".