⚠ Apple’s secret is out: 3 zero-days fixed, so be sure to patch now! ⚠
📖 Read
via "Naked Security".
All Apple users have zero-days that need patching, though some have more zero-days than others.📖 Read
via "Naked Security".
Naked Security
Apple’s secret is out: 3 zero-days fixed, so be sure to patch now!
All Apple users have zero-days that need patching, though some have more zero-days than others.
‼ CVE-2023-25448 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31453 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the ownerof the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1] https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32346 ‼
📖 Read
via "National Vulnerability Database".
Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32347 ‼
📖 Read
via "National Vulnerability Database".
Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31206 ‼
📖 Read
via "National Vulnerability Database".
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://cveprocess.apache.org/cve5/[1]%C2%A0https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25447 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Inkthemescom ColorWay theme <=Â 4.2.3 versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46680 ‼
📖 Read
via "National Vulnerability Database".
A CWE-319: Cleartext transmission of sensitive information vulnerability exists that couldcause disclosure of sensitive information, denial of service, or modification of data if an attackeris able to intercept network traffic.📖 Read
via "National Vulnerability Database".
🔥1
‼ CVE-2023-31923 ‼
📖 Read
via "National Vulnerability Database".
Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system.📖 Read
via "National Vulnerability Database".
🔥1
‼ CVE-2023-31454 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1] https://github.com/apache/inlong/pull/7947 https://github.com/apache/inlong/pull/7947📖 Read
via "National Vulnerability Database".
⚠ Phone scamming kingpin gets 13 years for running “iSpoof” service ⚠
📖 Read
via "Naked Security".
Site marketing video promised total anonymity, but that was a lie. 170 arrested already. Potentially 1000s more to follow.📖 Read
via "Naked Security".
Naked Security
Phone scamming kingpin gets 13 years for running “iSpoof” service
Site marketing video promised total anonymity, but that was a lie. 170 arrested already. Potentially 1000s more to follow.
‼ CVE-2023-2587 ‼
📖 Read
via "National Vulnerability Database".
Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31064 ‼
📖 Read
via "National Vulnerability Database".
Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. the user in InLong could cancel an application that doesn't belongs to it. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 https://github.com/apache/inlong/pull/7799 to solve it.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33293 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on *.localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31066 ‼
📖 Read
via "National Vulnerability Database".
Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others' sources! Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 https://github.com/apache/inlong/pull/7775 to solve it.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33294 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it's accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user's installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27066 ‼
📖 Read
via "National Vulnerability Database".
Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32350 ‼
📖 Read
via "National Vulnerability Database".
Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32348 ‼
📖 Read
via "National Vulnerability Database".
Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31098 ‼
📖 Read
via "National Vulnerability Database".
Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0. When users change their password to a simple password (with any character orsymbol), attackers can easily guess the user's password and access the account.Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2586 ‼
📖 Read
via "National Vulnerability Database".
Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the "RMS management feature" enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user's devices, including remote code execution with 'root' privileges (using the 'Task Manager' feature on RMS).📖 Read
via "National Vulnerability Database".