๐ด Data Siloes: Overcoming the Greatest Challenge in SecOps ๐ด
๐ Read
via "Dark Reading".
It's not lack of data that's the problem, but the inability to piece that together to truly understand and reduce risk.๐ Read
via "Dark Reading".
Dark Reading
Data Siloes: Overcoming the Greatest Challenge in SecOps
It's not lack of data that's the problem, but the inability to piece it together to truly understand and reduce risk.
๐ด Apple Patches 3 Zero-Days Possibly Already Exploited ๐ด
๐ Read
via "Dark Reading".
In an advisory released by the company, Apple revealed patches for three previously unknown bugs it says may already have been used by attackers.๐ Read
via "Dark Reading".
Dark Reading
Apple Patches 3 Zero-Days Possibly Already Exploited
In an advisory released by the company, Apple revealed patches for three previously unknown bugs it says may already have been used by attackers.
๐ด 3 Common Initial Attack Vectors Account for Most Ransomware Campaigns ๐ด
๐ Read
via "Dark Reading".
The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic.๐ Read
via "Dark Reading".
Dark Reading
3 Common Initial Attack Vectors Account for Most Ransomware Campaigns
The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic.
โผ CVE-2023-32675 โผ
๐ Read
via "National Vulnerability Database".
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32679 โผ
๐ Read
via "National Vulnerability Database".
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32677 โผ
๐ Read
via "National Vulnerability Database".
Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-28623 โผ
๐ Read
via "National Vulnerability Database".
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2716 โผ
๐ Read
via "National Vulnerability Database".
The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2735 โผ
๐ Read
via "National Vulnerability Database".
The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only works with legacy contact forms.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2715 โผ
๐ Read
via "National Vulnerability Database".
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2736 โผ
๐ Read
via "National Vulnerability Database".
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticated attackers to receive the auto login link via shortcode and then modify the assigned user to the auto login link to elevate verified user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2276 โผ
๐ Read
via "National Vulnerability Database".
The WCFM Membership รขโฌโ WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2714 โผ
๐ Read
via "National Vulnerability Database".
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the license key and support license key, but it can only be changed to a valid license key.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2717 โผ
๐ Read
via "National Vulnerability Database".
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enable_safe_mode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other plugins, via a forged request if they can successfully trick an administrator into performing an action such as clicking on a link. A warning message about safe mode is displayed to the admin, which can be easily disabled.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2713 โผ
๐ Read
via "National Vulnerability Database".
Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2712 โผ
๐ Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Command Injection, Using Malicious Files, Upload a Web Shell to a Web Server.This issue affects Rental Module: before 23.05.15.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1696 โผ
๐ Read
via "National Vulnerability Database".
The multimedia video module has a vulnerability in data processing.Successful exploitation of this vulnerability may affect availability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1694 โผ
๐ Read
via "National Vulnerability Database".
The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1692 โผ
๐ Read
via "National Vulnerability Database".
The window management module lacks permission verification.Successful exploitation of this vulnerability may affect confidentiality.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1693 โผ
๐ Read
via "National Vulnerability Database".
The Settings module has the file privilege escalation vulnerability.Successful exploitation of this vulnerability may affect confidentiality.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-33244 โผ
๐ Read
via "National Vulnerability Database".
Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page.๐ Read
via "National Vulnerability Database".