βΌ CVE-2023-30371 βΌ
π Read
via "National Vulnerability Database".
In Tenda AC15 V15.03.05.19, the function "sub_ED14" contains a stack-based buffer overflow vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30369 βΌ
π Read
via "National Vulnerability Database".
Tenda AC15 V15.03.05.19 is vulnerable to Buffer Overflow.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29848 βΌ
π Read
via "National Vulnerability Database".
Bang Resto 1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the itemName parameter in the admin/menu.php Add New Menu function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24818 βΌ
π Read
via "National Vulnerability Database".
RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2022.10, an attacker can send a crafted frame to the device resulting in a NULL pointer dereference. During forwarding of a fragment an uninitialized entry in the reassembly buffer is used. The NULL pointer dereference triggers a hard fault exception resulting in denial of service. Version 2022.10 fixes this issue. As a workaround, disable support for fragmented IP datagrams or apply the patches manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30373 βΌ
π Read
via "National Vulnerability Database".
In Tenda AC15 V15.03.05.19, the function "xian_pppoe_user" contains a stack-based buffer overflow vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47158 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pakpobox alfred24 Click & Collect plugin <=Γ 1.1.7 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30378 βΌ
π Read
via "National Vulnerability Database".
In Tenda AC15 V15.03.05.19, the function "sub_8EE8" contains a stack-based buffer overflow vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29479 βΌ
π Read
via "National Vulnerability Database".
Ribose RNP before 0.16.3 may hang when the input is malformed.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30372 βΌ
π Read
via "National Vulnerability Database".
In Tenda AC15 V15.03.05.19, The function "xkjs_ver32" contains a stack-based buffer overflow vulnerability.π Read
via "National Vulnerability Database".
π’ Nine steps to proactively manage data privacy and protection π’
π Read
via "ITPro".
Build trust with your employees, customers, and third partiesπ Read
via "ITPro".
ITPro
Nine steps to proactively manage data privacy and protection
Build trust with your employees, customers, and third parties
π’ Take control of diverse and rapidly evolving enterprise risks π’
π Read
via "ITPro".
Effectively manage and report on risk and complianceπ Read
via "ITPro".
ITPro
Take control of diverse and rapidly evolving enterprise risks
Effectively manage and report on risk and compliance
π1
β VMware patches break-and-enter hole in logging tools: update now! β
π Read
via "Naked Security".
You know jolly well/What we're going to say/And that's "Do not delay/Simply do it today."π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π’ Same cyberthreat, different story π’
π Read
via "ITPro".
How security, risk, and technology asset management teams collaborate to easily manage vulnerabilitiesπ Read
via "ITPro".
ITPro
Same cyberthreat, different story
How security, risk, and technology asset management teams collaborate to easily manage vulnerabilities
β Double zero-day in Chrome and Edge β check your versions now! β
π Read
via "Naked Security".
Wouldn't it be handy if there were a single version number to check for in every Chromium-based browser, on every supported platform?π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies
Two federal indictments were unsealed today in the District of Columbia charging a North Korean Foreign Trade Bank (FTB) representative for his role in separate money laundering conspiracies designed to generate revenue for the Democratic Peopleβs Republicβ¦
βΌ CVE-2023-26061 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Nokia NetAct before 22 FP2211. On the Scheduled Search tab under the Alarm Reports Dashboard page, users can create a script to inject XSS. Input validation was missing during creation of a scheduled task. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30613 βΌ
π Read
via "National Vulnerability Database".
Kiwi TCMS, an open source test management system, allows users to upload attachments to test plans, test cases, etc. In versions of Kiwi TCMS prior to 12.2, there is no control over what kinds of files can be uploaded. Thus, a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files, causing vulnerable browsers to execute malicious code on another computer. Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their type are also denied b/c they are a path to XSS attacks. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24822 βΌ
π Read
via "National Vulnerability Database".
RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2022.10, an attacker can send a crafted frame to the device resulting in a NULL pointer dereference while encoding a 6LoWPAN IPHC header. The NULL pointer dereference causes a hard fault exception, leading to denial of service. Version 2022.10 fixes this issue. As a workaround, apply the patches manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22914 βΌ
π Read
via "National Vulnerability Database".
A path traversal vulnerability in the Γ’β¬Εaccount_print.cgiΓ’β¬οΏ½ CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the Γ’β¬ΕtmpΓ’β¬οΏ½ directory by uploading a crafted file if the hotspot function were enabled.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30622 βΌ
π Read
via "National Vulnerability Database".
Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege escalation. The clusternet has a deployment called `cluster-hub` inside the `clusternet-system` Kubernetes namespace, which runs on worker nodes randomly. The deployment has a service account called `clusternet-hub`, which has a cluster role called `clusternet:hub` via cluster role binding. The `clusternet:hub` cluster role has `"*" verbs of "*.*"` resources. Thus, if a malicious user can access the worker node which runs the clusternet, they can leverage the service account to do malicious actions to critical system resources. For example, the malicious user can leverage the service account to get ALL secrets in the entire cluster, resulting in cluster-level privilege escalation. Version 0.15.2 contains a fix for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22917 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in the Γ’β¬Εsdwan_iface_ipcΓ’β¬οΏ½ binary of Zyxel ATP series firmware versions 5.10 through 5.32, USG FLEX series firmware versions 5.00 through 5.32, USG FLEX 50(W) firmware versions 5.10 through 5.32, USG20(W)-VPN firmware versions 5.10 through 5.32, and VPN series firmware versions 5.00 through 5.35, which could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file.π Read
via "National Vulnerability Database".