βΌ CVE-2023-26930 βΌ
π Read
via "National Vulnerability Database".
Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44232 βΌ
π Read
via "National Vulnerability Database".
libming 0.4.8 0.4.8 is vulnerable to Buffer Overflow. In getInt() in decompile.c unknown type may lead to denial of service. This is a different vulnerability than CVE-2018-9132 and CVE-2018-20427.π Read
via "National Vulnerability Database".
π΄ BigID and Thales Collaborate to Deliver Comprehensive Data Protection and Privacy Compliance π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
BigID and Thales Collaborate to Deliver Comprehensive Data Protection and Privacy Compliance
NEW YORK, April 26, 2023 /PRNewswire/ -- BigID, the leading data intelligence platform that enables organizations to know their enterprise data and take action for privacy, security, and governance, today announced a technology partnership with Thales, theβ¦
βΌ CVE-2023-30280 βΌ
π Read
via "National Vulnerability Database".
Buffer Overflow vulnerability found in Netgear R6900 v.1.0.2.26, R6700v3 v.1.0.4.128, R6700 v.1.0.0.26 allows a remote attacker to execute arbitrary code and cause a denial ofservice via the getInputData parameter of the fwSchedule.cgi page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45456 βΌ
π Read
via "National Vulnerability Database".
Denial of service due to unauthenticated API endpoint. The following products are affected: Acronis Agent (Windows, macOS, Linux) before build 30161.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30843 βΌ
π Read
via "National Vulnerability Database".
Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29443 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine ServiceDesk Plus through 14104 allows admin users to conduct an XXE attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29836 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability found in Exelysis Unified Communication Solutions (EUCS) v.1.0 allows a remote attacker to execute arbitrary code via the Username parameter of the eucsAdmin login form.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2291 βΌ
π Read
via "National Vulnerability Database".
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36070 βΌ
π Read
via "National Vulnerability Database".
Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29596 βΌ
π Read
via "National Vulnerability Database".
Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28009 βΌ
π Read
via "National Vulnerability Database".
HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29835 βΌ
π Read
via "National Vulnerability Database".
Insecure Permission vulnerability found in Wondershare Dr.Fone v.12.9.6 allows a remote attacker to escalate privileges via the service permission function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26567 βΌ
π Read
via "National Vulnerability Database".
Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27559 βΌ
π Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. IBM X-Force ID: 249196.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30363 βΌ
π Read
via "National Vulnerability Database".
vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28008 βΌ
π Read
via "National Vulnerability Database".
HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29442 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine Applications Manager through 16390 allows DOM XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30846 βΌ
π Read
via "National Vulnerability Database".
typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler`. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will *NOT* set the `Authorization` header. The problem was fixed in version 1.8.0. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30845 βΌ
π Read
via "National Vulnerability Database".
ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious `X-HTTP-Method-Override` header value to bypass JWT authentication in specific cases.ESPv2 allows malicious requests to bypass authentication if both the conditions are true: The requested HTTP method is **not** in the API service definition (OpenAPI spec or gRPC `google.api.http` proto annotations, and the specified `X-HTTP-Method-Override` is a valid HTTP method in the API service definition. ESPv2 will forward the request to your backend without checking the JWT. Attackers can craft requests with a malicious `X-HTTP-Method-Override` value that allows them to bypass specifying JWTs. Restricting API access with API keys works as intended and is not affected by this vulnerability.Upgrade deployments to release v2.43.0 or higher to receive a patch. This release ensures that JWT authentication occurs, even when the caller specifies `x-http-method-override`. `x-http-method-override` is still supported by v2.43.0+. API clients can continue sending this header to ESPv2.π Read
via "National Vulnerability Database".
π΄ Google 2FA Syncing Feature Could Put Your Privacy at Risk π΄
π Read
via "Dark Reading".
Researchers find that the encryption of a user's 2FA secrets are stripped after transportation to the cloud.π Read
via "Dark Reading".
Dark Reading
Google 2FA Syncing Feature Could Put Your Privacy at Risk
Researchers find that the encryption of a user's 2FA secrets are stripped after transportation to the cloud.