βΌ CVE-2022-43681 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds read exists in the BGP daemon of FRRouting FRR through 8.4. When sending a malformed BGP OPEN message that ends with the option length octet (or the option length word, in case of an extended OPEN message), the FRR code reads of out of the bounds of the packet, throwing a SIGABRT signal and exiting. This results in a bgpd daemon restart, causing a Denial-of-Service condition.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23820 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <=Γ 4.5.4 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25796 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Include WP BaiDu Submit plugin <=Γ 1.2.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25798 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Olevmedia Olevmedia Shortcodes plugin <=Γ 1.1.9 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40318 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. NOTE: this behavior occurs in bgp_open_option_parse in the bgp_open.c file, a different location (with a different attack vector) relative to CVE-2022-40302.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1383 βΌ
π Read
via "National Vulnerability Database".
An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible.This issue affects:Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23708 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <=Γ 3.9.4 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1384 βΌ
π Read
via "National Vulnerability Database".
The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be runThis issue affects:Amazon Fire TV Stick 3rd genΓ versions prior to 6.2.9.5.Insignia TV with FireOSΓ versions prior to 7.6.3.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1385 βΌ
π Read
via "National Vulnerability Database".
Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services.This issue affects:Amazon Fire TV Stick 3rd genΓ versions prior to 6.2.9.5.Insignia TV with FireOSΓ 7.6.3.3.π Read
via "National Vulnerability Database".
π΄ Anatomy of a Malicious Package Attack π΄
π Read
via "Dark Reading".
Malicious packages are hard to avoid and hard to detect β unless you know what to look for.π Read
via "Dark Reading".
Dark Reading
Anatomy of a Malicious Package Attack
Malicious packages are hard to avoid and hard to detect β unless you know what to look for.
βΌ CVE-2023-26017 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in BlueGlass Jobs for WordPress plugin <=Γ 2.5.10.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23875 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Himanshu Bing Site Verification plugin using Meta Tag plugin <=Γ 1.0 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23881 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GreenTreeLabs Circles Gallery plugin <=Γ 1.0.10 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25967 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo plugin <=Γ 6.0.2.0 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23830 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <=Γ 4.5.4 versions.π Read
via "National Vulnerability Database".
π΄ What's the Secret to Finding the Next Big Thing in Cybersecurity? π΄
π Read
via "Dark Reading".
Varun Badhwar, who has brought each of the three startups he founded to the finals of the RSAC Innovation Sandbox, talks about how to see around the corner.π Read
via "Dark Reading".
Dark Reading
What's the Secret to Finding the Next Big Thing in Cybersecurity?
Varun Badhwar, who has brought each of the three startups he founded to the finals of the RSAC Innovation Sandbox, talks about how to see around the corner.
π΄ Court Rejects Merck Insurers' Attempt to Refuse Coverage for NotPetya Damages π΄
π Read
via "Dark Reading".
Insurers unsuccessfully argued Merck's $1.4B in losses following NotPetya cyberattack fell under wartime exclusion. π Read
via "Dark Reading".
Dark Reading
Court Rejects Merck Insurers' Attempt to Refuse Coverage for NotPetya Damages
Insurers unsuccessfully argued Merck's $1.4B in losses following NotPetya cyberattack fell under wartime exclusion.
π1
β Tracked by hidden tags? Apple and Google unite to propose safety and security standardsβ¦ β
π Read
via "Naked Security".
To bleat, or not to bleat, that is the question.π Read
via "Naked Security".
Naked Security
Tracked by hidden tags? Apple and Google unite to propose safety and security standardsβ¦
To bleat, or not to bleat, that is the question.
βΌ CVE-2023-25827 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25826 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.π Read
via "National Vulnerability Database".
π΄ DNA Sequencing Equipment Vulnerability Adds New Twist to Medical Device Cyber Threats π΄
π Read
via "Dark Reading".
A vulnerability in a DNA sequencer highlights the expanded attack surface area of healthcare organizations but also shows that reporting of medical device vulnerabilities works.π Read
via "Dark Reading".
Dark Reading
DNA Sequencing Equipment Vulnerability Adds New Twist to Medical Device Cyber Threats
A vulnerability in a DNA sequencer highlights the expanded attack surface area of healthcare organizations but also shows that reporting of medical device vulnerabilities works.