βΌ CVE-2023-32628 βΌ
π Read
via "National Vulnerability Database".
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.π Read
via "National Vulnerability Database".
β MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to doβ¦ β
π Read
via "Naked Security".
Little Bobby Tables is back!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2022-48441 βΌ
π Read
via "National Vulnerability Database".
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33230 βΌ
π Read
via "National Vulnerability Database".
Memory corruption in FM Host due to buffer copy without checking the size of input in FM Hostπ Read
via "National Vulnerability Database".
βΌ CVE-2023-30863 βΌ
π Read
via "National Vulnerability Database".
In Connectivity Service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21670 βΌ
π Read
via "National Vulnerability Database".
Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.π Read
via "National Vulnerability Database".
π΄ ChatGPT Hallucinations Open Developers to Supply-Chain Malware Attacks π΄
π Read
via "Dark Reading".
Attackers could exploit a common AI experienceβfalse recommendationsβto spread malicious code via developers that use ChatGPT to create software.π Read
via "Dark Reading".
Dark Reading
ChatGPT Hallucinations Open Developers to Supply Chain Malware Attacks
Attackers could exploit a common AI experience β false recommendations β to spread malicious code via developers that use ChatGPT to create software.
βΌ CVE-2023-1779 βΌ
π Read
via "National Vulnerability Database".
Exposure of Sensitive Information to an unauthorized actor vulnerabilityΓ in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker with low privileges to view a limited amount of another accounts contact information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2833 βΌ
π Read
via "National Vulnerability Database".
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update.π Read
via "National Vulnerability Database".
π΄ US Aerospace Contractor Hacked With 'PowerDrop' Backdoor π΄
π Read
via "Dark Reading".
Hackers used a little to do a lot, cracking a high-value target with hardly more than the living-off-the-land tools (PowerShell especially) found on any standard Windows computer.π Read
via "Dark Reading".
Dark Reading
US Aerospace Contractor Hacked With 'PowerDrop' Backdoor
Hackers used a little to do a lot, cracking a high-value target with hardly more than the living-off-the-land tools (PowerShell especially) found on any standard Windows computer.
β€2
π΄ Filling the Gaps: How to Secure the Future of Hybrid Work π΄
π Read
via "Dark Reading".
By enhancing remote management and adopting hardware-enforced security, productivity can continue without inviting extra cyber-risk.π Read
via "Dark Reading".
Dark Reading
Filling the Gaps: How to Secure the Future of Hybrid Work
By enhancing remote management and adopting hardware-enforced security, productivity can continue without inviting extra cyber-risk.
βΌ CVE-2023-20724 βΌ
π Read
via "National Vulnerability Database".
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07843845; Issue ID: ALPS07843841.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20733 βΌ
π Read
via "National Vulnerability Database".
In vcu, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07645149; Issue ID: ALPS07645149.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20747 βΌ
π Read
via "National Vulnerability Database".
In vcu, there is a possible memory corruption due to type confusion. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07519103; Issue ID: ALPS07519121.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33532 βΌ
π Read
via "National Vulnerability Database".
There is a command injection vulnerability in the Netgear R6250 router with Firmware Version 1.0.4.48. If an attacker gains web management privileges, they can inject commands into the post request parameters, thereby gaining shell privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30948 βΌ
π Read
via "National Vulnerability Database".
A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content.This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.π Read
via "National Vulnerability Database".
β Chrome zero-day: βThis exploit is in the wildβ, so check your version now β
π Read
via "Naked Security".
Chrome 0-day patched now, Edge patch coming soon.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2023-0921 βΌ
π Read
via "National Vulnerability Database".
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32281 βΌ
π Read
via "National Vulnerability Database".
The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33651 βΌ
π Read
via "National Vulnerability Database".
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27126 βΌ
π Read
via "National Vulnerability Database".
The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim.π Read
via "National Vulnerability Database".