βΌ CVE-2022-45291 βΌ
π Read
via "National Vulnerability Database".
PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26263 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to inject arbitrary web script in the browser of a victim, by posting crafted contents.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28088 βΌ
π Read
via "National Vulnerability Database".
An HPE OneView appliance dump may expose SAN switch administrative credentialsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-44465 βΌ
π Read
via "National Vulnerability Database".
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23837 βΌ
π Read
via "National Vulnerability Database".
No exception handling vulnerability which revealed sensitive or excessive information to users.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30838 βΌ
π Read
via "National Vulnerability Database".
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23166 βΌ
π Read
via "National Vulnerability Database".
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45071 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44476 βΌ
π Read
via "National Vulnerability Database".
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration files.π Read
via "National Vulnerability Database".
π΄ NetWitness Partners With Palo Alto Networks, Broadcom to Launch SASE Packet Integrations at RSA Conference 2023 π΄
π Read
via "Dark Reading".
Full packet capture and log monitoring directly on SASE nodes maintains enterprise-grade security, no matter where the data originates.π Read
via "Dark Reading".
Dark Reading
NetWitness Partners With Palo Alto Networks, Broadcom to Launch SASE Packet Integrations at RSA Conference 2023
Full packet capture and log monitoring directly on SASE nodes maintains enterprise-grade security, no matter where the data originates.
π΄ ReliaQuest Adds AI Capabilities to GreyMatter Intelligent Analysis π΄
π Read
via "Dark Reading".
Integration of AI can lead to reduction of up to 90% in meantime to resolve security incidents.π Read
via "Dark Reading".
Dark Reading
ReliaQuest Adds AI Capabilities to GreyMatter Intelligent Analysis
Integration of AI can lead to reduction of up to 90% in meantime to resolve security incidents.
π΄ Forcepoint Delivers Data Security Everywhere, Extending DLP Policies From Endpoints to the Cloud π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Forcepoint Delivers Data Security Everywhere, Extending DLP Policies From Endpoints to the Cloud
AUSTIN, Texas β April 25, 2023 β Global security leader Forcepoint today extended the depth and breadth of its Data-first SASE (Secure Access Service Edge) offering with the launch of Forcepoint Data Security Everywhere. Forcepoint is simplifying enterpriseβ¦
π΄ AI Experts: Account for AI/ML Resilience & Risk While There's Still Time π΄
π Read
via "Dark Reading".
CISOs and cybersecurity teams will play a key role in hardening artificial intelligence and machine learning systems.π Read
via "Dark Reading".
Dark Reading
AI Experts: Account for AI/ML Resilience & Risk While There's Still Time
CISOs and cybersecurity teams will play a key role in hardening artificial intelligence and machine learning systems.
βΌ CVE-2023-20871 βΌ
π Read
via "National Vulnerability Database".
VMware Fusion contains a local privilege escalation vulnerability. A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29012 βΌ
π Read
via "National Vulnerability Database".
Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerability. Maliciously-placed `doskey.exe` would be executed silently upon running Git CMD. The problem has been patched in Git for Windows v2.40.1. As a workaround, avoid using Git CMD or, if using Git CMD, avoid starting it in an untrusted directory.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25815 βΌ
π Read
via "National Vulnerability Database".
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28084 βΌ
π Read
via "National Vulnerability Database".
HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokensπ Read
via "National Vulnerability Database".
βΌ CVE-2023-25652 βΌ
π Read
via "National Vulnerability Database".
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30609 βΌ
π Read
via "National Vulnerability Database".
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.π Read
via "National Vulnerability Database".