βΌ CVE-2023-27892 βΌ
π Read
via "National Vulnerability Database".
Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26546 βΌ
π Read
via "National Vulnerability Database".
European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager permission.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26089 βΌ
π Read
via "National Vulnerability Database".
European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26268 βΌ
π Read
via "National Vulnerability Database".
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * updateThis doesn't affect map/reduce or search (Dreyfus) index functions.Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3).Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-31433 βΌ
π Read
via "National Vulnerability Database".
A SQL injection issue in Logbuch in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allows authenticated attackers to execute SQL statements via the welche parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30403 βΌ
π Read
via "National Vulnerability Database".
An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31435 βΌ
π Read
via "National Vulnerability Database".
Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30759 βΌ
π Read
via "National Vulnerability Database".
In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47875 βΌ
π Read
via "National Vulnerability Database".
A Directory Traversal vulnerability in /be/erpc.php in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30944 βΌ
π Read
via "National Vulnerability Database".
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47876 βΌ
π Read
via "National Vulnerability Database".
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts.π Read
via "National Vulnerability Database".
βοΈ Promising Jobs at the U.S. Postal Service, βUS Job Servicesβ Leaks Customer Data βοΈ
π Read
via "Krebs on Security".
A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016.π Read
via "Krebs on Security".
Krebs on Security
Promising Jobs at the U.S. Postal Service, βUS Job Servicesβ Leaks Customer Data
A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers.β¦
βΌ CVE-2023-2466 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: Low)π Read
via "National Vulnerability Database".
βΌ CVE-2023-2463 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)π Read
via "National Vulnerability Database".
βΌ CVE-2023-2459 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to bypass permission restrictions via a crafted HTML page. (Chromium security severity: Medium)π Read
via "National Vulnerability Database".
βΌ CVE-2023-29839 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2467 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in Prompts in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to bypass permissions restrictions via a crafted HTML page. (Chromium security severity: Low)π Read
via "National Vulnerability Database".
βΌ CVE-2023-2464 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to perform an origin spoof in the security UI via a crafted HTML page. (Chromium security severity: Medium)π Read
via "National Vulnerability Database".
βΌ CVE-2023-2460 βΌ
π Read
via "National Vulnerability Database".
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to bypass file access checks via a crafted HTML page. (Chromium security severity: Medium)π Read
via "National Vulnerability Database".
βΌ CVE-2023-2462 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to obfuscate main origin data via a crafted HTML page. (Chromium security severity: Medium)π Read
via "National Vulnerability Database".
βΌ CVE-2023-2468 βΌ
π Read
via "National Vulnerability Database".
Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who had compromised the renderer process to obfuscate the security UI via a crafted HTML page. (Chromium security severity: Low)π Read
via "National Vulnerability Database".