‼ CVE-2023-29926 ‼
📖 Read
via "National Vulnerability Database".
PowerJob V4.3.2 has unauthorized interface that causes remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46302 ‼
📖 Read
via "National Vulnerability Database".
Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27652 ‼
📖 Read
via "National Vulnerability Database".
An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges cause a denial of service via the update_info field of the _default_.xml file.📖 Read
via "National Vulnerability Database".
🕴 Tech Insight: Dangers of Using Large Language Models Before They Are Baked 🕴
📖 Read
via "Dark Reading".
Today's LLMs pose too many trust and security risks.📖 Read
via "Dark Reading".
Dark Reading
Expert Insight: Dangers of Using Large Language Models Before They Are Baked
Today's LLMs pose too many trust and security risks.
🕴 Twitter's 2FA Policy Is a Call for Passkey Disruption 🕴
📖 Read
via "Dark Reading".
Overcoming the limitations of consumer MFA with a new flavor of passwordless.📖 Read
via "Dark Reading".
Dark Reading
Twitter's 2FA Policy Is a Call for Passkey Disruption
Overcoming the limitations of consumer MFA with a new flavor of passwordless.
âš S3 Ep131: Can you really have fun with FORTRAN? âš
📖 Read
via "Naked Security".
Loop-the-loop in this week's episode. Entertaining, educational and all in plain English. Transcript inside.📖 Read
via "Naked Security".
Naked Security
S3 Ep131: Can you really have fun with FORTRAN?
Loop-the-loop in this week’s episode. Entertaining, educational and all in plain English. Transcript inside.
‼ CVE-2023-25601 ‼
📖 Read
via "National Vulnerability Database".
On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1255 ‼
📖 Read
via "National Vulnerability Database".
Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-23938 ‼
📖 Read
via "National Vulnerability Database".
Tuleap is a Free & Source tool for end to end traceability of application and system developments. Affected versions are subject to a cross site scripting attack which can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this vulnerability to force a victim to execute uncontrolled code in the context of their browser. This issue has been addressed in Tuleap Community Edition version 14.5.99.4. Users are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27350 ‼
📖 Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36788 ‼
📖 Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in the TriangleMesh clone functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially-crafted STL file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27351 ‼
📖 Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.📖 Read
via "National Vulnerability Database".
🕴 Trigona Ransomware Trolling for 'Poorly Managed' MS-SQL Servers 🕴
📖 Read
via "Dark Reading".
Vulnerable MS-SQL database servers have external connections and weak account credentials, researchers warn.📖 Read
via "Dark Reading".
Dark Reading
Trigona Ransomware Trolling for 'Poorly Managed' MS-SQL Servers
Vulnerable MS-SQL database servers have external connections and weak account credentials, researchers warn.
‼ CVE-2023-23579 ‼
📖 Read
via "National Vulnerability Database".
Datakit CrossCadWare_x64.dll contains an out-of-bounds write past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This could allow an attacker to execute code in the context of the current process.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22295 ‼
📖 Read
via "National Vulnerability Database".
Datakit CrossCadWare_x64.dll contains an out of bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22321 ‼
📖 Read
via "National Vulnerability Database".
Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22354 ‼
📖 Read
via "National Vulnerability Database".
Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22846 ‼
📖 Read
via "National Vulnerability Database".
Datakit CrossCadWare_x64.dll contains an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted SLDPRT file. This vulnerability could allow an attacker to disclose sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30076 ‼
📖 Read
via "National Vulnerability Database".
Sourcecodester Judging Management System v1.0 is vulnerable to SQL Injection via /php-jms/print_judges.php?print_judges.php=&se_name=&sub_event_id=.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30616 ‼
📖 Read
via "National Vulnerability Database".
Form block is a wordpress plugin designed to make form creation easier. Versions prior to 1.0.2 are subject to a Cross-Site Request Forgery due to a missing nonce check. There is potential for a Cross Site Request Forgery for all form blocks, since it allows to send requests to the forms from any website without a user noticing. Users are advised to upgrade to version 1.0.2. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29528 ‼
📖 Read
via "National Vulnerability Database".
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix.📖 Read
via "National Vulnerability Database".