π΄ Cyber Essentialism & 'Doing Less With Less' π΄
π Read
via "Dark Reading".
Cybersecurity benefits from a focus on the vital few chores rather than the trivial many. Find the "right things" to encourage strategic thinking, then move the culture needle to promote that policy.π Read
via "Dark Reading".
Dark Reading
Cyber Essentialism & 'Doing Less With Less'
Cybersecurity benefits from a focus on the vital few chores rather than the trivial many. Find the "right things" to encourage strategic thinking, then move the culture needle to promote that policy.
β Firefox 114 is out: No 0-days, but one fascinating βteachable momentβ bug β
π Read
via "Naked Security".
With the right (or wrong, if you're on the right side of the fence) timing...π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2023-1825 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-3146 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, was found in SourceCodester Online Discussion Forum Site 1.0. This affects an unknown part of the file admin\categories\manage_category.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231015.π Read
via "National Vulnerability Database".
π΄ Microsoft Fined $20M For Xbox Child Data Collection π΄
π Read
via "Dark Reading".
The FTC has demanded additional data privacy protections for kids using Xbox gaming systems, extending COPPA protections.π Read
via "Dark Reading".
Dark Reading
Microsoft Fined $20M For Xbox Child Data Collection
The FTC has demanded additional data privacy protections for kids using Xbox gaming systems, extending COPPA protections.
βΌ CVE-2023-34234 βΌ
π Read
via "National Vulnerability Database".
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34108 βΌ
π Read
via "National Vulnerability Database".
mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow which allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the `passwd-verify.lua` script, which is responsible for verifying user passwords during login attempts. Upon a successful login, the script returns a response in the format of "password=<valid-password>", indicating the successful authentication. By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 mail_crypt_save_version=0" would cause the `passwd-verify.lua` script to return the string "password=123 mail_crypt_save_version=0". Consequently, Dovecot will interpret this string and set the internal variables accordingly, leading to unintended consequences. This vulnerability can be exploited by an authenticated attacker who has the ability to set their own password. Successful exploitation of this vulnerability could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities. This issue has been patched in version `2023-05a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
π΄ Defenders Buckle Up for a Future of Detecting Deepfakes π΄
π Read
via "Dark Reading".
Today, technology companies have high success rates against generative AI-created voices and videos, but future detection will be much more difficult.π Read
via "Dark Reading".
Dark Reading
Defenders Buckle Up for a Future of Detecting Deepfakes
Today technology companies have high success rates against generative AI-created voices and videos, but future detection will be much more difficult.
π΄ Minecraft Malware Spreading Through Mods, Plug-ins π΄
π Read
via "Dark Reading".
A worm virus called "fracturizer" has been embedded in modpacks from various sites, including CurseForge and CraftBukkit.π Read
via "Dark Reading".
Dark Reading
Minecraft Malware Spreading Through Mods, Plug-ins
A worm virus called "fracturizer" has been embedded in modpacks from various sites, including CurseForge and CraftBukkit.
π΄ BeyondID Launches Initiative to Accelerate Zero Trust With Okta Identity Engine π΄
π Read
via "Dark Reading".
OIE upgrade roadmap helps organizations become more secure; saves time, resources.π Read
via "Dark Reading".
Dark Reading
BeyondID Launches Initiative to Accelerate Zero Trust With Okta Identity Engine
OIE upgrade roadmap helps organizations become more secure; saves time, resources.
π΄ Radiflow's CIARA 4.0 Delivers Actionable Insights to Simplify the Management of OT Cyber-Risk at Industrial Facilities π΄
π Read
via "Dark Reading".
CIARA V4.0 boosts compliance with security regulations and best practices while providing effective mitigation guidance. "CISOs are doing more with less, making it challenging to understand their current standing across the OT Cybersecurity landscape," said Ilan Barda, Radiflow CEO and co-founder.π Read
via "Dark Reading".
Dark Reading
Radiflow's CIARA 4.0 Delivers Actionable Insights to Simplify the Management of OT Cyber-Risk at Industrial Facilities
CIARA V4.0 boosts compliance with security regulations and best practices while providing effective mitigation guidance. "CISOs are doing more with less, making it challenging to understand their current standing across the OT Cybersecurity landscape," saidβ¦
βΌ CVE-2023-33496 βΌ
π Read
via "National Vulnerability Database".
xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31116 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Shannon RCS component in Samsung Exynos Modem 5123 and 5300. An incorrect default permission can cause unintended querying of RCS capability via a crafted application.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29168 βΌ
π Read
via "National Vulnerability Database".
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29502 βΌ
π Read
via "National Vulnerability Database".
Before importing a project into Vuforia, a user could modify the Γ’β¬ΕresourceDirectoryΓ’β¬οΏ½ attribute in the appConfig.json file to be a different path.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2904 βΌ
π Read
via "National Vulnerability Database".
The External Visitor Manager portal of HIDΓ’β¬β’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29152 βΌ
π Read
via "National Vulnerability Database".
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account.π Read
via "National Vulnerability Database".
β€1
βΌ CVE-2023-31200 βΌ
π Read
via "National Vulnerability Database".
PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site request forgery attack or a replay attack.π Read
via "National Vulnerability Database".
β€2
βΌ CVE-2023-33846 βΌ
π Read
via "National Vulnerability Database".
IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 257100.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23481 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245889.π Read
via "National Vulnerability Database".
π’ Barracuda Networks says hacked devices βmust be immediately replacedβ despite patches π’
π Read
via "ITPro".
Seven-month exploitation of a critical vulnerability enabled persistent backdoor access in its email security gateway devices π Read
via "ITPro".
ITPro
Barracuda Networks says hacked devices βmust be immediately replacedβ despite patches
Seven-month exploitation of a critical vulnerability enabled persistent backdoor access in its email security gateway devices