‼ CVE-2023-26876 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29908 ‼
📖 Read
via "National Vulnerability Database".
H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetMobileAPInfoById interface at /goform/aspForm.📖 Read
via "National Vulnerability Database".
🕴 Shadow IT, SaaS Pose Security Liability for Enterprises 🕴
📖 Read
via "Dark Reading".
Software written or acquired outside of IT's purview is software that IT can't evaluate for security or compliance.📖 Read
via "Dark Reading".
Dark Reading
Shadow IT, SaaS Pose Security Liability for Enterprises
Software written or acquired outside of IT's purview is software that IT can't evaluate for security or compliance.
👍1🔥1
⚠ S3 Ep131: Can you really have fun with FORTRAN? ⚠
📖 Read
via "Naked Security".
Loop-the-loop in this week's episode. Entertaining, educational and all in plain English. Transcript inside.📖 Read
via "Naked Security".
Naked Security
S3 Ep131: Can you really have fun with FORTRAN?
Loop-the-loop in this week’s episode. Entertaining, educational and all in plain English. Transcript inside.
🛠 FortiGate Brute Forcer 🛠
📖 Read
via "Packet Storm Security".
This python script is a slow brute forcing utility to check passwords against FortiGate appliances. Check the homepage link for more information on how this was used to slowly bypass brute force protections.📖 Read
via "Packet Storm Security".
Packetstormsecurity
FortiGate Brute Forcer ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
⚠ VMware patches break-and-enter hole in logging tools: update now! ⚠
📖 Read
via "Naked Security".
You know jolly well/What we're going to say/And that's "Do not delay/Simply do it today."📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
👍1
‼ CVE-2023-2140 ‼
📖 Read
via "National Vulnerability Database".
A Server-Side Request Forgery vulnerability in DELMIA Apriso Release 2017 through Release 2022 could allow an unauthenticated attacker to issue requests to arbitrary hosts on behalf of the server running the DELMIA Apriso application.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30798 ‼
📖 Read
via "National Vulnerability Database".
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-2139 ‼
📖 Read
via "National Vulnerability Database".
A reflected Cross-site Scripting (XSS) Vulnerability in DELMIA Apriso Release 2017 through Release 2022 allows an attacker to execute arbitrary script code.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2141 ‼
📖 Read
via "National Vulnerability Database".
An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.📖 Read
via "National Vulnerability Database".
🕴 Intel Prioritizes Security in Latest vPro Chips 🕴
📖 Read
via "Dark Reading".
While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.📖 Read
via "Dark Reading".
Dark Reading
Intel Prioritizes Security in Latest vPro Chips
While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.
👎1
🕴 North Korea's Kimsuky APT Keeps Growing, Despite Public Outing 🕴
📖 Read
via "Dark Reading".
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.📖 Read
via "Dark Reading".
Dark Reading
North Korea's Kimsuky APT Keeps Growing, Despite Public Outing
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.
🕴 EvilExtractor Infostealer Campaign Targeting Windows OS 🕴
📖 Read
via "Dark Reading".
Uptick in EvilExtractor activity aims to compromise endpoints to steal browser from targets across Europe and the US, researchers say.📖 Read
via "Dark Reading".
Dark Reading
'EvilExtractor' All-in-One Stealer Campaign Targets Windows User Data
An uptick in EvilExtractor activity aims to compromise endpoints to steal browser from targets across Europe and the US, researchers say.
‼ CVE-2022-47930 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not utilize a session id, context, or random nonce in the generation of the challenge. This could allow a malicious user or an eavesdropper to replay a valid proof sent in the past.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26557 ‼
📖 Read
via "National Vulnerability Database".
io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26556 ‼
📖 Read
via "National Vulnerability Database".
io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time (there is an if statement in a loop). One leak is in ecdsa/keygen/round_2.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)📖 Read
via "National Vulnerability Database".
🕴 Shields Health Breach Exposes 2.3M Users' Data 🕴
📖 Read
via "Dark Reading".
The medical imaging firm's systems were compromised by a threat actor, exposing patients' driver's licenses and other identifying information.📖 Read
via "Dark Reading".
Dark Reading
Shields Health Breach Exposes 2.3M Users' Data
The medical imaging firm's systems were compromised by a threat actor, exposing patients' driver's licenses and other identifying information.
‼ CVE-2022-36963 ‼
📖 Read
via "National Vulnerability Database".
The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30620 ‼
📖 Read
via "National Vulnerability Database".
mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using `tarfile.extractall()` from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the vulnerability is called a TarSlip or a ZipSlip variant. An attacker may leverage this vulnerability to overwrite any local file which the server process has access to. There is no risk of file exposure with this vulnerability. This issue has been addressed in release `23.2.1.0 `. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-47505 ‼
📖 Read
via "National Vulnerability Database".
The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30618 ‼
📖 Read
via "National Vulnerability Database".
Kitchen-Terraform provides a set of Test Kitchen plugins which enable the use of Test Kitchen to converge a Terraform configuration and verify the resulting infrastructure systems with InSpec controls. Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the `info` logging level during the `kitchen converge` action. Prior to v7.0.0, the output values were printed at the `debug` level to avoid writing sensitive values to the terminal by default. An attacker would need access to the local machine in order to gain access to these logs during an operation. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".