βΌ CVE-2023-2800 βΌ
π Read
via "National Vulnerability Database".
Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32322 βΌ
π Read
via "National Vulnerability Database".
Ombi is an open source application which allows users to request specific media from popular self-hosted streaming servers. Versions prior to 4.38.2 contain an arbitrary file read vulnerability where an Ombi administrative user may access files available to the Ombi server process on the host operating system. Ombi administrators may not always be local system administrators and so this may violate the security expectations of the system. The arbitrary file read vulnerability was present in `ReadLogFile` and `Download` endpoints in `SystemControllers.cs` as the parameter `logFileName` is not sanitized before being combined with the `Logs` directory. When using `Path.Combine(arg1, arg2, arg3)`, an attacker may be able to escape to folders/files outside of `Path.Combine(arg1, arg2)` by using ".." in `arg3`. In addition, by specifying an absolute path for `arg3`, `Path.Combine` will completely ignore the first two arguments and just return just `arg3`. This vulnerability can lead to information disclosure. The Ombi `documentation` suggests running Ombi as a Service with Administrator privileges. An attacker targeting such an application may be able to read the files of any Windows user on the host machine and certain system files. This issue has been addressed in commit `b8a8f029` and in release version 4.38.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GHSL-2023-088.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36327 βΌ
π Read
via "National Vulnerability Database".
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32099 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_se_sign_hashΓ in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32097 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_crypto_transparent_aead_decrypt_tag in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32098 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_se_sign_message in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31597 βΌ
π Read
via "National Vulnerability Database".
An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1132 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_se_driver_key_agreement in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32100 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_se_driver_mac_computein Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32096 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_crypto_transparent_aead_encrypt_tag in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30333 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in the component /admin/ThemeController.java of PerfreeBlog v3.1.2 allows attackers to execute arbitrary code via a crafted file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2481 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_se_opaque_import_key in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0965 βΌ
π Read
via "National Vulnerability Database".
Compiler removal of buffer clearing in sli_cryptoacc_transparent_key_agreement in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36326 βΌ
π Read
via "National Vulnerability Database".
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36328 βΌ
π Read
via "National Vulnerability Database".
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discoveredΓ in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.π Read
via "National Vulnerability Database".
π΄ Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict π΄
π Read
via "Dark Reading".
Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.π Read
via "Dark Reading".
Dark Reading
Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict
Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.
π΄ KeePass Vulnerability Imperils Master Passwords π΄
π Read
via "Dark Reading".
A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password β and proof-of-concept code is available.π Read
via "Dark Reading".
Dark Reading
KeePass Vulnerability Imperils Master Passwords
A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password β and proof-of-concept code is available.
βΌ CVE-2023-2024 βΌ
π Read
via "National Vulnerability Database".
Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29720 βΌ
π Read
via "National Vulnerability Database".
SofaWiki <=3.8.9 is vulnerable to Cross Site Scripting (XSS) via index.php.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2025 βΌ
π Read
via "National Vulnerability Database".
OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 may expose sensitive information to an unauthorized user under certain circumstances.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31655 βΌ
π Read
via "National Vulnerability Database".
redis-7.0.10 was discovered to contain a segmentation violation.π Read
via "National Vulnerability Database".