๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
@cibsecurity
25.4K subscribers
88.9K links
๐Ÿ—ž The finest daily news on cybersecurity and privacy.

๐Ÿ”” Daily releases.

๐Ÿ’ป Is your online life secure?

๐Ÿ“ฉ lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
25.4K subscribers
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2022-39989 โ€ผ

An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials.

๐Ÿ“– Read

via "National Vulnerability Database".
174 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2022-25275 โ€ผ

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

๐Ÿ“– Read

via "National Vulnerability Database".
166 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-22728 โ€ผ

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

๐Ÿ“– Read

via "National Vulnerability Database".
163 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30267 โ€ผ

CLTPHP <=6.0 is vulnerable to Cross Site Scripting (XSS) via application/home/controller/Changyan.php.

๐Ÿ“– Read

via "National Vulnerability Database".
162 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-22729 โ€ผ

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

๐Ÿ“– Read

via "National Vulnerability Database".
166 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2022-25276 โ€ผ

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

๐Ÿ“– Read

via "National Vulnerability Database".
171 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30265 โ€ผ

CLTPHP <=6.0 is vulnerable to Directory Traversal.

๐Ÿ“– Read

via "National Vulnerability Database".
181 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30112 โ€ผ

Medicine Tracker System in PHP 1.0.0 is vulnerable to SQL Injection.

๐Ÿ“– Read

via "National Vulnerability Database".
187 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30266 โ€ผ

CLTPHP <=6.0 is vulnerable to Unrestricted Upload of File with Dangerous Type.

๐Ÿ“– Read

via "National Vulnerability Database".
209 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-1387 โ€ผ

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

๐Ÿ“– Read

via "National Vulnerability Database".
244 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2022-25274 โ€ผ

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

๐Ÿ“– Read

via "National Vulnerability Database".
263 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30269 โ€ผ

CLTPHP <=6.0 is vulnerable to Improper Input Validation via application/admin/controller/Template.php.

๐Ÿ“– Read

via "National Vulnerability Database".
278 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
๐Ÿ•ด CyberGRX Announces Winners of the Inaugural Cyber Risk Nation Awards ๐Ÿ•ด

Awarded individuals and companies are trailblazers in third-party risk management.

๐Ÿ“– Read

via "Dark Reading".
Dark Reading
CyberGRX Announces Winners of the Inaugural Cyber Risk Nation Awards
Awarded individuals and companies are trailblazers in third-party risk management.
277 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30210 โ€ผ

OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via ourphp_tz.php.

๐Ÿ“– Read

via "National Vulnerability Database".
254 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-2307 โ€ผ

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

๐Ÿ“– Read

via "National Vulnerability Database".
246 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2022-27979 โ€ผ

A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component.

๐Ÿ“– Read

via "National Vulnerability Database".
227 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2022-27978 โ€ผ

Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request.

๐Ÿ“– Read

via "National Vulnerability Database".
216 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30211 โ€ผ

OURPHP <= 7.2.0 is vulnerable to SQL Injection.

๐Ÿ“– Read

via "National Vulnerability Database".
213 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โ€ผ CVE-2023-30212 โ€ผ

OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.

๐Ÿ“– Read

via "National Vulnerability Database".
235 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
โš  Google leaking 2FA secrets โ€“ researchers advise against new โ€œaccount syncโ€ feature for now โš 

You waited 13 years for this feature in Google Authenticator. Now researchers are advising you to wait a while longer, just in case...

๐Ÿ“– Read

via "Naked Security".
Sophos News
Naked Security โ€“ Sophos News
259 views
๐Ÿ›ก Cybersecurity & Privacy ๐Ÿ›ก - News
๐Ÿ•ด High-Severity SLP Flaw Can Amplify DDoS Attacks up to 2,200 Times ๐Ÿ•ด

More than 2,000 global organizations โ€” including Fortune 1,000 companies โ€” are at risk to reflective DDoS attacks that exploit a vulnerability discovered in the legacy Internet protocol.

๐Ÿ“– Read

via "Dark Reading".
Dark Reading
High-Severity SLP Flaw Can Amplify DDoS Attacks up to 2,200 Times
More than 2,000 global organizations โ€” including Fortune 1,000 companies โ€” are at risk to reflective DDoS attacks that exploit a vulnerability discovered in the legacy Internet protocol.
296 views