βΌ CVE-2023-2932 βΌ
π Read
via "National Vulnerability Database".
Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2023-33962 βΌ
π Read
via "National Vulnerability Database".
JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes `'` in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware.Version 1.0.1 contains a patch for this issue. To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape `'` as `'`. As a workaround, users can avoid this issue by using only double quotes `"` for HTML attributes.π Read
via "National Vulnerability Database".
βοΈ Discord Admins Hacked by Malicious Bookmarks βοΈ
π Read
via "Krebs on Security".
A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.π Read
via "Krebs on Security".
Krebs on Security
Discord Admins Hacked by Malicious Bookmarks
A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.
π΄ Spotlight on 2023 Dan Kaminsky Fellow: Dr. Gus Andrews π΄
π Read
via "Dark Reading".
As the second Kaminsky Fellow, Dr. Andrews will study the use of threat intelligence to track campaigns against the human rights community.π Read
via "Dark Reading".
Dark Reading
Spotlight on 2023 Dan Kaminsky Fellow: Dr. Gus Andrews
As the second Kaminsky Fellow, Andrews will study the use of threat intelligence to track campaigns against the human rights community.
β€1
βΌ CVE-2023-2998 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47526 βΌ
π Read
via "National Vulnerability Database".
Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a path traversal vulnerability with resultant arbitrary writing of files. A remote attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the downstream node user. Exploitation of this issue does not require user interaction.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3004 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Chat System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=read_msg of the component POST Parameter Handler. The manipulation of the argument convo_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230348.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25539 βΌ
π Read
via "National Vulnerability Database".
Dell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3003 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in SourceCodester Train Station Ticketing System 1.0. Affected by this vulnerability is an unknown functionality of the file manage_prices.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230347.π Read
via "National Vulnerability Database".
β Serious Security: Verification is vital β examining an OAUTH login bug β
π Read
via "Naked Security".
What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?π Read
via "Naked Security".
π’ CrowdStrikeβs new generative AI security tool harnesses human-validated threat data π’
π Read
via "ITPro".
Charlotte AI will be trained on a βcontinuous human feedback loopβ from CrowdStrike security products π Read
via "ITPro".
ITPro
CrowdStrikeβs new generative AI security tool harnesses human-validated threat data
Charlotte AI will be trained on a βcontinuous human feedback loopβ from CrowdStrike security products
π1
βΌ CVE-2023-2909 βΌ
π Read
via "National Vulnerability Database".
EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.π Read
via "National Vulnerability Database".
π1
π΄ Salesforce 'Ghost Sites' Expose Sensitive Corporate Data π΄
π Read
via "Dark Reading".
Some companies have moved on from using Salesforce. But without remembering to fully deactivate their clouds, Salesforce won't move on from them.π Read
via "Dark Reading".
Dark Reading
Salesforce 'Ghost Sites' Expose Sensitive Corporate Data
Some companies have moved on from using Salesforce. But without remembering to fully deactivate their clouds, Salesforce won't move on from them.
π1
π΄ Focus Security Efforts on Choke Points, Not Visibility π΄
π Read
via "Dark Reading".
By finding the places where attack paths converge, you can slash multiple exposures in one fix for more efficient remediation.π Read
via "Dark Reading".
Dark Reading
Focus Security Efforts on Choke Points, Not Visibility
By finding the places where attack paths converge, you can slash multiple exposures in one fix for more efficient remediation.
π1
βΌ CVE-2023-33508 βΌ
π Read
via "National Vulnerability Database".
KramerAV VIA GOΓΒ² < 4.0.1.1326 is vulnerable to unauthenticated file upload resulting in Remote Code Execution (RCE).π Read
via "National Vulnerability Database".
βΌ CVE-2023-33509 βΌ
π Read
via "National Vulnerability Database".
KramerAV VIA GOΓΒ² < 4.0.1.1326 is vulnerable to SQL Injection.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3009 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33736 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3007 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in ningzichun Student Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file resetPassword.php of the component Password Reset Handler. The manipulation of the argument sid leads to weak password recovery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-230354 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33487 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a command insertion vulnerability in setDiagnosisCfg.This vulnerability allows an attacker to execute arbitrary commands through the "ip" parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3008 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in ningzichun Student Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument user/pass leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230355.π Read
via "National Vulnerability Database".