βΌ CVE-2023-2870 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in EnTech Monitor Asset Manager 2.9. It has been declared as problematic. Affected by this vulnerability is the function 0x80002014 of the component IoControlCode Handler. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier VDB-229849 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
π4
βΌ CVE-2023-25029 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in utahta WP Social Bookmarking Light plugin <=Γ 2.0.7 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32964 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Made with Fuel Better Notifications for WP plugin <=Γ 1.9.2 versions.π Read
via "National Vulnerability Database".
β€1π1
βοΈ Phishing Domains Tanked After Meta Sued Freenom βοΈ
π Read
via "Krebs on Security".
The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains.π Read
via "Krebs on Security".
Krebs on Security
Phishing Domains Tanked After Meta Sued Freenom
The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaintsβ¦
π1
β S3 Ep136: Navigating a manic malware maelstrom β
π Read
via "Naked Security".
Latest episode - listen now. Full transcript inside...π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives π΄
π Read
via "Dark Reading".
Phishing campaigns targeting travelers have evolved from simple, easy-to-spot fraud attempts to highly sophisticated operations.π Read
via "Dark Reading".
Dark Reading
Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives
Phishing campaigns targeting travelers have evolved from simple, easy-to-spot fraud attempts to highly sophisticated operations.
βΌ CVE-2023-33440 βΌ
π Read
via "National Vulnerability Database".
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46882 βΌ
π Read
via "National Vulnerability Database".
The video framework has memory overwriting caused by addition overflow. Successful exploitation of this vulnerability may affect availability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-33720 βΌ
π Read
via "National Vulnerability Database".
mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4BytesProperty.π Read
via "National Vulnerability Database".
π΄ Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints π΄
π Read
via "Dark Reading".
Informants have released data that includes thousands of safety complaints the company has received about its self-driving capability, as well as sensitive information regarding current and past employees.π Read
via "Dark Reading".
Dark Reading
Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints
Informants have released data that includes thousands of safety complaints the company has received about its self-driving capability, as well as sensitive information regarding current and past employees.
π΄ 130K+ Patients' Social Security Numbers Leaked in UHS of Delaware Data Breach π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
130K+ Patients' Social Security Numbers Leaked in UHS of Delaware Data Breach
MARLTON, N.J., May 25, 2023 /PRNewswire/ -- Approximately 130,000 patients in Texas β and an untold number of others nationwide β are being notified that their protected health information was compromised when hackers breached the computer system of Universalβ¦
βΌ CVE-2023-20868 βΌ
π Read
via "National Vulnerability Database".
NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. A remote attacker can inject HTML or JavaScript to redirect to malicious pages.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32318 βΌ
π Read
via "National Vulnerability Database".
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.π Read
via "National Vulnerability Database".
π΄ 2 Lenses for Examining the Safety of Open Source Software π΄
π Read
via "Dark Reading".
Improving the security of open source repositories and keeping malicious components out requires a combination of technology and people.π Read
via "Dark Reading".
β€1
βΌ CVE-2023-33197 βΌ
π Read
via "National Vulnerability Database".
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.π Read
via "National Vulnerability Database".
β€1π1
βΌ CVE-2023-2854 βΌ
π Read
via "National Vulnerability Database".
BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture fileπ Read
via "National Vulnerability Database".
βΌ CVE-2023-21515 βΌ
π Read
via "National Vulnerability Database".
InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32321 βΌ
π Read
via "National Vulnerability Database".
CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. Potential DOS due to lack of a length check on the resource id. Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading. All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1. Users are advised to upgrade. There are no known workarounds for these issues.π Read
via "National Vulnerability Database".
π2
βΌ CVE-2023-33192 βΌ
π Read
via "National Vulnerability Database".
ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-32325 βΌ
π Read
via "National Vulnerability Database".
PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32688 βΌ
π Read
via "National Vulnerability Database".
parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3.π Read
via "National Vulnerability Database".