βΌ CVE-2022-24631 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24627 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24580 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-24580. Reason: This candidate is a duplicate of CVE-2023-24580. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2023-24580 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30571 βΌ
π Read
via "National Vulnerability Database".
Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.π Read
via "National Vulnerability Database".
βΌ CVE-2014-125102 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in Bestwebsoft Relevant Plugin up to 1.0.7 on WordPress. Affected by this vulnerability is an unknown functionality of the component Thumbnail Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 1.0.8 is able to address this issue. The name of the patch is 860d1891025548cf0f5f97364c1f51a888f523c3. It is recommended to upgrade the affected component. The identifier VDB-230113 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32698 βΌ
π Read
via "National Vulnerability Database".
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing itΓ’β¬β’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.π Read
via "National Vulnerability Database".
π₯1
βΌ CVE-2023-27988 βΌ
π Read
via "National Vulnerability Database".
The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely.π Read
via "National Vulnerability Database".
π₯1
βΌ CVE-2023-33245 βΌ
π Read
via "National Vulnerability Database".
Minecraft through 1.19 and 1.20 pre-releases before 7 (Java) allow arbitrary file overwrite, and possibly code execution, via crafted world data that contains a symlink.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0443 βΌ
π Read
via "National Vulnerability Database".
The AnyWhere Elementor WordPress plugin before 1.2.8 discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2972 βΌ
π Read
via "National Vulnerability Database".
Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45853 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33234 βΌ
π Read
via "National Vulnerability Database".
Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.Γ Operators should upgrade to provider version 7.0.0 which has removed the vulnerability.π Read
via "National Vulnerability Database".
π΄ Pentagon Leaks Emphasize the Need for a Trusted Workforce π΄
π Read
via "Dark Reading".
Tightening access controls and security clearance alone won't prevent insider threat risks motivated by lack of trust or loyalty.π Read
via "Dark Reading".
Dark Reading
Pentagon Leaks Emphasize the Need for a Trusted Workforce
Tightening access controls and security clearance alone won't prevent insider threat risks motivated by lack of trust or loyalty.
βΌ CVE-2023-30196 βΌ
π Read
via "National Vulnerability Database".
Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2650 βΌ
π Read
via "National Vulnerability Database".
Issue summary: Processing some specially crafted ASN.1 object identifiers ordata containing them may be very slow.Impact summary: Applications that use OBJ_obj2txt() directly, or use any ofthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no messagesize limit may experience notable to very long delays when processing thosemessages, which may lead to a Denial of Service.An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -most of which have no size limit. OBJ_obj2txt() may be used to translatean ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSLtype ASN1_OBJECT) to its canonical numeric text form, which are thesub-identifiers of the OBJECT IDENTIFIER in decimal form, separated byperiods.When one of the sub-identifiers in the OBJECT IDENTIFIER is very large(these are sizes that are seen as absurdly large, taking up tens or hundredsof KiBs), the translation to a decimal number in text may take a very longtime. The time complexity is O(n^2) with 'n' being the size of thesub-identifiers in bytes (*).With OpenSSL 3.0, support to fetch cryptographic algorithms using names /identifiers in string form was introduced. This includes using OBJECTIDENTIFIERs in canonical numeric text form as identifiers for fetchingalgorithms.Such OBJECT IDENTIFIERs may be received through the ASN.1 structureAlgorithmIdentifier, which is commonly used in multiple protocols to specifywhat cryptographic algorithm should be used to sign or verify, encrypt ordecrypt, or digest passed data.Applications that call OBJ_obj2txt() directly with untrusted data areaffected, with any version of OpenSSL. If the use is for the mere purposeof display, the severity is considered low.In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,CMS, CMP/CRMF or TS. It also impacts anything that processes X.509certificates, including simple things like verifying its signature.The impact on TLS is relatively low, because all versions of OpenSSL have a100KiB limit on the peer's certificate chain. Additionally, this onlyimpacts clients, or servers that have explicitly enabled clientauthentication.In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,such as X.509 certificates. This is assumed to not happen in such a waythat it would cause a Denial of Service, so these versions are considerednot affected by this issue in such a way that it would be cause for concern,and the severity is therefore considered low.π Read
via "National Vulnerability Database".
π2
βΌ CVE-2023-2981 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in Abstrium Pydio Cells 4.2.0. This issue affects some unknown processing of the component Chat. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-230213 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
π΄ 9M Dental Patients Affected by LockBit Attack on MCNA π΄
π Read
via "Dark Reading".
The government-sponsored dental and oral healthcare provider warned its customers that a March attack exposed sensitive data, some of which was leaked online by the ransomware group.π Read
via "Dark Reading".
Dark Reading
9M Dental Patients Affected by LockBit Attack on MCNA
The government-sponsored dental and oral healthcare provider warned its customers that a March attack exposed sensitive data, some of which was leaked online by the ransomware group.
π1
π OpenSSL Toolkit 3.0.9 π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.x series is the current major version of OpenSSL.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 3.0.9 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π΄ Undetected Attacks Against Middle East Targets Conducted Since 2020 π΄
π Read
via "Dark Reading".
Targeted attacks against Saudi Arabia and other Middle East nations have been detected with a tool that's been in the wild since 2020.π Read
via "Dark Reading".
Dark Reading
Undetected Attacks Against Middle East Targets Conducted Since 2020
Targeted attacks against Saudi Arabia and other Middle East nations have been detected with a tool that's been in the wild since 2020.
β Serious Security: Verification is vital β examining an OAUTH login bug β
π Read
via "Naked Security".
What good is a popup asking for your approval if an attacker can bypass it simply by suprpessing it?π Read
via "Naked Security".
βΌ CVE-2022-4240 βΌ
π Read
via "National Vulnerability Database".
Missing Authentication for Critical Function vulnerability in Honeywell OneWireless allows Authentication Bypass.Γ This issue affects OneWireless version 322.1π Read
via "National Vulnerability Database".
π1