βΌ CVE-2023-29007 βΌ
π Read
via "National Vulnerability Database".
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24005 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Winwar Media Inline Tweet Sharer Γ’β¬β Twitter Sharing Plugin plugin <=Γ 2.5.3 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29011 βΌ
π Read
via "National Vulnerability Database".
Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of `connect.exe`'s config file is hard-coded as `/etc/connectrc` which will typically be interpreted as `C:\etc\connectrc`. Since `C:\etc` can be created by any authenticated user, this makes `connect.exe` susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder `etc` on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious `<drive>:\etc\connectrc` files on multi-user machines.π Read
via "National Vulnerability Database".
β€1
βΌ CVE-2023-2269 βΌ
π Read
via "National Vulnerability Database".
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23710 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <=Γ 7.5.14 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23889 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Quick Paypal Payments pluginΓ <= 5.7.25 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20872 βΌ
π Read
via "National Vulnerability Database".
VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2293 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Purchase Order Management System 1.0. It has been classified as problematic. This affects an unknown part of the file classes/Master.php?f=save_item. The manipulation of the argument description with the input <script>alert(document.cookie)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-227463.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23866 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Carlos Moreira Interactive Geo Maps plugin <=Γ 1.5.8 versions.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-25461 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in namithjawahar Wp-Insert plugin <=Γ 2.5.0 versions.π Read
via "National Vulnerability Database".
π΄ BlackBerry Extends Partnership With Managed Security Services Provider (MSSP) to Ensure SMBs are Set Up for Cyber Success π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
BlackBerry Extends Partnership With Managed Security Services Provider (MSSP) to Ensure SMBs are Set Up for Cyber Success
SAN FRANCISCO, April 25, 2023 /PRNewswire/ -- BlackBerry Limited (NYSE: BB; TSX: BB) and Solutions Granted today announced an extended partnership, naming the leading cybersecurity services provider a Master Managed Security Services Provider (MSSP), enablingβ¦
π΄ Datadog's 2023 State of Application Security Report Presents Top AppSec Trends π΄
π Read
via "Dark Reading".
The report found that ninety-seven percent of security vulnerabilities labeled as "critical" could actually be deprioritized.π Read
via "Dark Reading".
Dark Reading
Datadog's 2023 State of Application Security Report Presents Top AppSec Trends
The report found that ninety-seven percent of security vulnerabilities labeled as "critical" could actually be deprioritized.
π΄ Dig Security Announces New Integration With CrowdStrike π΄
π Read
via "Dark Reading".
New CrowdStrike Falcon platform integration delivers multi-cloud visibility and protection of data assets with layered malware detection and file scanning to stop modern attacks.π Read
via "Dark Reading".
Dark Reading
Dig Security Announces New Integration With CrowdStrike
New CrowdStrike Falcon platform integration delivers multi-cloud visibility and protection of data assets with layered malware detection and file scanning to stop modern attacks.
βΌ CVE-2023-30842 βΌ
π Read
via "National Vulnerability Database".
AVideo is an open-source video platform. Prior to version 12.4, AVideo is vulnerable to remote code execution when an attacker embeds a malicious video link. This issue is fixed in version 12.4.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0045 βΌ
π Read
via "National Vulnerability Database".
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set Γ function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. Γ The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.We recommend upgrading past commitΓ a664ec9158eeddd75121d39c9a0758016097fa96π Read
via "National Vulnerability Database".
βΌ CVE-2023-20870 βΌ
π Read
via "National Vulnerability Database".
VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20869 βΌ
π Read
via "National Vulnerability Database".
VMware Workstation (17.x) and VMware Fusion (13.x) contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31223 βΌ
π Read
via "National Vulnerability Database".
Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars.π Read
via "National Vulnerability Database".
π΄ CISOs Rethink Data Security with Info-Centric Framework π΄
π Read
via "Dark Reading".
The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.π Read
via "Dark Reading".
Dark Reading
CISOs Rethink Data Security With Info-Centric Framework
The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.
βΌ CVE-2023-30404 βΌ
π Read
via "National Vulnerability Database".
Aigital Wireless-N Repeater Mini_Router v0.131229 was discovered to contain a remote code execution (RCE) vulnerability via the sysCmd parameter in the formSysCmd function. This vulnerability is exploited via a crafted HTTP request.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2012-5873 βΌ
π Read
via "National Vulnerability Database".
ARC (aka ARC2) through 2011-12-01 allows reflected XSS via the end_point.php query parameter in an output=htmltab action.π Read
via "National Vulnerability Database".