βΌ CVE-2023-30948 βΌ
π Read
via "National Vulnerability Database".
A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content.This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.π Read
via "National Vulnerability Database".
β Chrome zero-day: βThis exploit is in the wildβ, so check your version now β
π Read
via "Naked Security".
Chrome 0-day patched now, Edge patch coming soon.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2023-0921 βΌ
π Read
via "National Vulnerability Database".
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32281 βΌ
π Read
via "National Vulnerability Database".
The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33651 βΌ
π Read
via "National Vulnerability Database".
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27126 βΌ
π Read
via "National Vulnerability Database".
The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim.π Read
via "National Vulnerability Database".
π΄ Netskope Intelligent SSE Selected by Transdev to Secure and Connect its Hybrid Workforce π΄
π Read
via "Dark Reading".
Implementation is part of Transdev's Cloud-First approach to better manage technological obsolescence.π Read
via "Dark Reading".
Dark Reading
Netskope Intelligent SSE Selected by Transdev to Secure and Connect its Hybrid Workforce
Implementation is part of Transdev's Cloud-First approach to better manage technological obsolescence.
π΄ ILTA and Conversant Group Release Cybersecurity Benchmarking Survey of the Legal Industry π΄
π Read
via "Dark Reading".
Joint research highlights disconnect between legal IT and recommended cybersecurity practices.π Read
via "Dark Reading".
Dark Reading
ILTA and Conversant Group Release Cybersecurity Benchmarking Survey of the Legal Industry
Joint research highlights disconnect between legal IT and recommended cybersecurity practices.
π΄ With SEC Rule Changes on the Horizon, Research Reveals Only 14% of CISOs Have Traits Desired for Cyber Expert Board Positions π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
With SEC Rule Changes on the Horizon, Research Reveals Only 14% of CISOs Have Traits Desired for Cyber Expert Board Positions
BOSTON, June 6, 2023 /PRNewswire/ -- Today, IANS Research, Artico Search and The CAP Group released its CISO as Board Directors - CISO Board Readiness Analysis, a collaborative research study that evaluates the qualifications of Chief Information Securityβ¦
π΄ Verizon DBIR: Social Engineering Breaches Double, Leading to Spiraling Ransomware Costs π΄
π Read
via "Dark Reading".
Ransomware continues its runaway growth with median payments reaching $50,000 per incident.π Read
via "Dark Reading".
Dark Reading
Verizon DBIR: Social Engineering Breaches Double, Leading to Spiraling Ransomware Costs
Ransomware continues its runaway growth with median payments reaching $50,000 per incident.
βΌ CVE-2023-2603 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29632 βΌ
π Read
via "National Vulnerability Database".
PrestaShop jmspagebuilder 3.x is vulnerable to SQL Injection via ajax_jmspagebuilder.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36723 βΌ
π Read
via "National Vulnerability Database".
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email addresses, phone numbers, physical addresses and user post counts.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36730 βΌ
π Read
via "National Vulnerability Database".
The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin.π Read
via "National Vulnerability Database".
βΌ CVE-2019-25144 βΌ
π Read
via "National Vulnerability Database".
The WP HTML Mail plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 2.2.10 due to insufficient input sanitization. This makes it possible for unauthenticated attackers to inject arbitrary HTML in pages that execute if they can successfully trick a administrator into performing an action such as clicking on a link.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0668 βΌ
π Read
via "National Vulnerability Database".
Due to failure in validating the length provided by an attacker-crafted IEEE-C37.118 packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36696 βΌ
π Read
via "National Vulnerability Database".
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36700 βΌ
π Read
via "National Vulnerability Database".
The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change arbitrary WordPress options, delete arbitrary files/folders, and inject arbitrary content.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-30576 βΌ
π Read
via "National Vulnerability Database".
Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2186 βΌ
π Read
via "National Vulnerability Database".
On Triangle MicroWorks' SCADA Data Gateway version <= v5.01.03, an unauthenticated attacker can send a specially crafted broadcast message including format string characters to the SCADA Data Gateway to perform unrestricted memory reads.An unauthenticated user can use this format string vulnerability to repeatedly crash the GTWWebMonitor.exe process to DoS the Web Monitor. Furthermore, an authenticated user can leverage this vulnerability to leak memory from the GTWWebMonitor.exe process. This could be leveraged in an exploit chain to gain code execution.π Read
via "National Vulnerability Database".
π’ MOVEit cyber attack: Cl0p sparks speculation that itβs lost control of hack π’
π Read
via "ITPro".
The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew π Read
via "ITPro".
ITPro
MOVEit cyber attack: Cl0p sparks speculation that itβs lost control of hack
The hackers return with their second major data-extortion attack of 2023, but may have bitten off more than they can chew