โผ CVE-2023-25504 โผ
๐ Read
via "National Vulnerability Database".
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability existsร in Apache Superset versions up to and including 2.0.1.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27525 โผ
๐ Read
via "National Vulnerability Database".
An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1๐ Read
via "National Vulnerability Database".
๐ด Aloha PoS Restaurant Software Downed by Ransomware Attack ๐ด
๐ Read
via "Dark Reading".
Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.๐ Read
via "Dark Reading".
Dark Reading
Aloha PoS Restaurant Software Downed by Ransomware Attack
Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.
๐ด How CISOs Can Craft Better Narratives for the Board ๐ด
๐ Read
via "Dark Reading".
Communicating cyber-risk upward to C-suite and board takes simplification and better understanding of the audience.๐ Read
via "Dark Reading".
Dark Reading
How CISOs Can Craft Better Narratives for the Board
Communicating cyber-risk upward to the C-suite and board takes simplification and a better understanding of the audience.
๐ด Pentesters Need to Hack AI, but Also Question its Existence ๐ด
๐ Read
via "Dark Reading".
Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.๐ Read
via "Dark Reading".
Dark Reading
Pen Testers Need to Hack AI, but Also Question Its Existence
Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.
โผ CVE-2023-29004 โผ
๐ Read
via "National Vulnerability Database".
hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. Successful exploitation of this vulnerability could allow an attacker with user level privileges to obtain the content of arbitrary files on the file server within the scope of what the server process has access to. The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.๐ Read
via "National Vulnerability Database".
โผ CVE-2015-10103 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in InternalError503 Forget It up to 1.3. This affects an unknown part of the file js/settings.js. The manipulation of the argument setForgetTime with the input 0 leads to infinite loop. It is possible to launch the attack on the local host. Upgrading to version 1.4 is able to address this issue. The name of the patch is adf0c7fd59b9c935b4fd675c556265620124999c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226119.๐ Read
via "National Vulnerability Database".
โผ CVE-2015-10102 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in Freshdesk Plugin 1.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to open redirect. The attack may be launched remotely. Upgrading to version 1.8 is able to address this issue. The name of the patch is 2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b. It is recommended to upgrade the affected component. VDB-226118 is the identifier assigned to this vulnerability.๐ Read
via "National Vulnerability Database".
๐ด NSA's National Centers for Academic Excellent (NCAE) Cyber Games to Hold National Finals on April 22 ๐ด
๐ Read
via "Dark Reading".
๐ Read
via "Dark Reading".
Dark Reading
NSA's National Centers for Academic Excellent (NCAE) Cyber Games to Hold National Finals on April 22
Cyber Florida at the University of South Florida - Tampa will host the national championship round of the NCAE Cyber Games on April 22 on the University of South Florida-Tampa campus. The event will be live-streamed via Twitch at https://www.twitch.tv/ncโฆ
๐ด lockr Raises $2.5M ๐ด
๐ Read
via "Dark Reading".
lockr preserves open access to information across the Internet while honoring consumer privacy and choice.๐ Read
via "Dark Reading".
Dark Reading
lockr Raises $2.5M
lockr preserves open access to information across the Internet while honoring consumer privacy and choice.
๐ด Google Issues Emergency Chrome Update for Zero-Day Bug ๐ด
๐ Read
via "Dark Reading".
Because the security vulnerability is under active exploit, Google isn't releasing full details of the flaw while users could remain vulnerable.๐ Read
via "Dark Reading".
Dark Reading
Google Issues Emergency Chrome Update for Zero-Day Bug
Because the security vulnerability is under active exploit, Google isn't releasing full details of the flaw while users could remain vulnerable.
๐ด FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware ๐ด
๐ Read
via "Dark Reading".
Members of the former ransomware group are using a FIN7 backdoor to deliver malware โincluding Cobalt Strike โ to victim systems.๐ Read
via "Dark Reading".
Dark Reading
FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
Members of the former ransomware group are using a FIN7 backdoor to deliver malware โincluding Cobalt Strike โ to victim systems.
โผ CVE-2023-27907 โผ
๐ Read
via "National Vulnerability Database".
A malicious actor may convince a victim to open a malicious USD file that may trigger an out-of-bounds write vulnerability which may result in code execution.๐ Read
via "National Vulnerability Database".
โค1
โผ CVE-2023-25010 โผ
๐ Read
via "National Vulnerability Database".
A malicious actor may convince a victim to open a malicious USD file that may trigger an uninitialized variable which may result in code execution.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27910 โผ
๐ Read
via "National Vulnerability Database".
A user may be tricked into opening a malicious FBX file that may exploit a stack buffer overflow vulnerability in Autodeskรยฎ FBXรยฎ SDK 2020 or prior which may lead to code execution.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-30548 โผ
๐ Read
via "National Vulnerability Database".
gatsby-plugin-sharp is a plugin for the gatsby framework which exposes functions built on the Sharp image processing library. The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (`gatsby develop`). It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. A patch has been introduced in gatsby-plugin-sharp@5.8.1 and gatsby-plugin-sharp@4.25.1 which mitigates the issue by ensuring that included paths remain within the project directory. As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. Users are non the less encouraged to upgrade to a safe version.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-30769 โผ
๐ Read
via "National Vulnerability Database".
Vulnerability discovered is related to the peer-to-peer (p2p) communications, attackers can craft consensus messages, send it to individual nodes and take them offline. An attacker can crawl the network peers using getaddr message and attack the unpatched nodes.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27911 โผ
๐ Read
via "National Vulnerability Database".
A user may be tricked into opening a malicious FBX file that may exploit a heap buffer overflow vulnerability in Autodeskรยฎ FBXรยฎ SDK 2020 or prior which may lead to code execution.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2130 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-226206 is the identifier assigned to this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27906 โผ
๐ Read
via "National Vulnerability Database".
A malicious actor may convince a victim to open a malicious USD file that may trigger an out-of-bounds read vulnerability which may result in code execution.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27909 โผ
๐ Read
via "National Vulnerability Database".
An Out-Of-Bounds Write Vulnerability in Autodeskรยฎ FBXรยฎ SDK version 2020 or prior may lead to code execution through maliciously crafted FBX files or information disclosure.๐ Read
via "National Vulnerability Database".