βΌ CVE-2023-30860 βΌ
π Read
via "National Vulnerability Database".
WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30855 βΌ
π Read
via "National Vulnerability Database".
Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path traversal. The impact of this path traversal and arbitrary extension is limited to creation of arbitrary files and appending data to existing files. When combined with the SQL Injection, the exported data `RESTRICTED DIFFUSION 9 / 9` can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver. Users may upgrade to version 10.5.18 to receive a patch or, as a workaround, apply the patch manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30840 βΌ
π Read
via "National Vulnerability Database".
Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the `csi-nodeplugin-fluid` node-daemonset), they can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks `list node` permissions, the attacker may need to use other techniques to identify vulnerable nodes.Once the attacker identifies and modifies the node specs, they can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows them to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster.To exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means.Version 0.8.6 contains a patch for this issue. As a workaround, delete the `csi-nodeplugin-fluid` daemonset in `fluid-system` namespace and avoid using CSI mode to mount FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended.π Read
via "National Vulnerability Database".
π΄ Government, Industry Efforts to Thwart Ransomware Slowly Start to Pay Off π΄
π Read
via "Dark Reading".
Public-private collaboration, law enforcement, and better defenses are helping make inroads in the war against ransomware, according to the Ransomware Task Force.π Read
via "Dark Reading".
Dark Reading
Government, Industry Efforts to Thwart Ransomware Slowly Start to Pay Off
Public-private collaboration, law enforcement, and better defenses are helping make inroads in the war against ransomware, according to the Ransomware Task Force.
π΄ Whiteford Taylor & Preston LLP Issues Notice of Data Incident π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Whiteford Taylor & Preston LLP Issues Notice of Data Incident
BALTIMORE, May 5, 2023 /PRNewswire/ -- On or about May 11, 2022, Whiteford Taylor & Preston, LLP ("Whiteford") became aware of a potential unauthorized access into the Whiteford email account of one of its attorneys, despite our robust multi-factor authenticationβ¦
π΄ Consilient Inc. and Harex InfoTech Partner to Fight Financial Crime in South Korea π΄
π Read
via "Dark Reading".
Companies bring generative AI-Federated Learning to the forefront to transform business processes and enable dynamic risk management.π Read
via "Dark Reading".
Dark Reading
Consilient Inc. and Harex InfoTech Partner to Fight Financial Crime in South Korea
Companies bring generative AI-Federated Learning to the forefront to transform business processes and enable dynamic risk management.
βΌ CVE-2023-23543 βΌ
π Read
via "National Vulnerability Database".
The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. A sandboxed app may be able to determine which app is currently using the cameraπ Read
via "National Vulnerability Database".
βΌ CVE-2022-46727 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32874 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27969 βΌ
π Read
via "National Vulnerability Database".
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.3, watchOS 9.4, tvOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privilegesπ Read
via "National Vulnerability Database".
βΌ CVE-2023-27967 βΌ
π Read
via "National Vulnerability Database".
The issue was addressed with improved memory handling. This issue is fixed in Xcode 14.3. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privilegesπ Read
via "National Vulnerability Database".
βΌ CVE-2023-27965 βΌ
π Read
via "National Vulnerability Database".
A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Studio Display Firmware Update 16.4. An app may be able to execute arbitrary code with kernel privilegesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-42804 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32873 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31179 βΌ
π Read
via "National Vulnerability Database".
AgilePoint NX v8.0 SU2.2 & SU2.3 - Path traversal -Γ Vulnerability allows path traversal and downloading files from the server, by an unspecified request.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31140 βΌ
π Read
via "National Vulnerability Database".
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27963 βΌ
π Read
via "National Vulnerability Database".
The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, watchOS 9.4, iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. A shortcut may be able to use sensitive data with certain actions without prompting the userπ Read
via "National Vulnerability Database".
βΌ CVE-2023-23541 βΌ
π Read
via "National Vulnerability Database".
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. An app may be able to access information about a userΓ’β¬β’s contactsπ Read
via "National Vulnerability Database".
βΌ CVE-2023-27960 βΌ
π Read
via "National Vulnerability Database".
This issue was addressed by removing the vulnerable code. This issue is fixed in GarageBand for macOS 10.4.8. An app may be able to gain elevated privileges during the installation of GarageBandπ Read
via "National Vulnerability Database".
βΌ CVE-2023-2478 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23536 βΌ
π Read
via "National Vulnerability Database".
The issue was addressed with improved bounds checks. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privilegesπ Read
via "National Vulnerability Database".