โผ CVE-2023-26062 โผ
๐ Read
via "National Vulnerability Database".
A mobile network solution internal fault is found in Nokia Web Element Manager before 22 R1, in which an authenticated, unprivileged user can execute administrative functions. Exploitation is not possible from outside of mobile network solution architecture. This means that exploit is not possible from mobile network user UEs, from roaming networks, or from the Internet. Exploitation is possible only from a CSP (Communication Service Provider) mobile network solution internal BTS management network.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-34565 โผ
๐ Read
via "National Vulnerability Database".
Netbox 3.5.1 is vulnerable to Cross Site Scripting (XSS) in the "Create Wireless LAN Groups" function.๐ Read
via "National Vulnerability Database".
๐ด Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks ๐ด
๐ Read
via "Dark Reading".
Microsoft says Cadet Blizzard wielded a custom wiper malware in the weeks leading up to Russia's invasion of Ukraine, and it remains capable of wanton destruction.๐ Read
via "Dark Reading".
Dark Reading
Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks
Microsoft says Cadet Blizzard wielded a custom wiper malware in the weeks leading up to Russia's invasion of Ukraine, and it remains capable of wanton destruction.
โผ CVE-2023-34252 โผ
๐ Read
via "National Vulnerability Database".
Grav is a file-based Web platform. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. Version 1.7.42 contains a patch for this issue. End users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2819 โผ
๐ Read
via "National Vulnerability Database".
A stored cross-site scripting vulnerability in the Sources UI in Proofpoint Threat Response/ Threat Response Auto Pull (PTR/TRAP) could allow an authenticated administrator on an adjacent network to replace the image file with an arbitrary MIME type. ?This could result in arbitrary javascript code execution in an admin context.?All versions prior to 5.10.0 are affected.?ร ๐ Read
via "National Vulnerability Database".
๐ด Cryptocurrency Attacks Quadrupled as Cybercriminals Cash In ๐ด
๐ Read
via "Dark Reading".
Attackers continue to attempt to steal Bitcoin and other virtual coins, with a 40% increase in phishing attacks and fourfold increase in incidents.๐ Read
via "Dark Reading".
Dark Reading
Cryptocurrency Attacks Quadrupled as Cybercriminals Cash In
Attackers continue to attempt to steal Bitcoin and other virtual coins, with a 40% increase in phishing attacks and fourfold increase in incidents.
๐ด Network-Security Testing Standard Nears Prime Time ๐ด
๐ Read
via "Dark Reading".
The evaluation of network-security appliances gained ground in May with a new draft of its testing and benchmarking guide, which could be adopted later this year.๐ Read
via "Dark Reading".
Dark Reading
Network-Security Testing Standard Nears Prime Time
NetSecOpen recently released a new draft of its testing and benchmarking guide, which could be adopted later this year.
โผ CVE-2022-22307 โผ
๐ Read
via "National Vulnerability Database".
IBM Security Guardium 11.3, 11.4, and 11.5 could allow a local user to obtain elevated privileges due to incorrect authorization checks. IBM X-Force ID: 216753.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-35029 โผ
๐ Read
via "National Vulnerability Database".
Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-32752 โผ
๐ Read
via "National Vulnerability Database".
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 228439.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-33159 โผ
๐ Read
via "National Vulnerability Database".
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 228567.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-25683 โผ
๐ Read
via "National Vulnerability Database".
IBM PowerVM Hypervisor FW950.00 through FW950.71, FW1010.00 through FW1010.40, FW1020.00 through FW1020.20, and FW1030.00 through FW1030.11 could allow an attacker to obtain sensitive information if they gain service access to the HMC. IBM X-Force ID: 247592.๐ Read
via "National Vulnerability Database".
โค1
โผ CVE-2022-4149 โผ
๐ Read
via "National Vulnerability Database".
The Netskope client service (prior to R96) on Windows runs as NT AUTHORITY\SYSTEM which writes log files to a writable directory (C:\Users\Public\netSkope) for a standard user. The files are created and written with a SYSTEM account except one file (logplaceholder) which inherits permission giving all users full access control list. Netskope client restricts access to this file by allowing only read permissions as a standard user. Whenever the Netskope client service restarts, it deletes the logplaceholder and recreates, creating a race condition, which can be exploited by a malicious local user to create the file and set ACL permissions on the file. Once the file is created by a malicious user with proper ACL permissions, all files within C:\Users\Public\netSkope\ becomes modifiable by the unprivileged user. By using Windows pseudo-symlink, these files can be pointed to other places in the system and thus malicious users will be able to elevate privileges.๐ Read
via "National Vulnerability Database".
โค1
โผ CVE-2023-2270 โผ
๐ Read
via "National Vulnerability Database".
The Netskope client service running with NT\SYSTEM privileges accepts network connections from localhost to start various services and execute commands. The connection handling function of Netskope client before R100 in this service utilized a relative path to download and unzip configuration files on the machine. This relative path provided a way for local users to write arbitrary files at a location which is accessible to only higher privileged users. This can be exploited by local users to execute code with NT\SYSTEM privileges on the end machine.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-35030 โผ
๐ Read
via "National Vulnerability Database".
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2847 โผ
๐ Read
via "National Vulnerability Database".
During internal security analysis, a local privilege escalation vulnerability has been identified. On a machine with the affected ESET product installed, it was possible for a user with lower privileges due to improper privilege management to trigger actions with root privileges.ESET remedied this possible attack vector and has prepared new builds of its products that are no longer susceptible to this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32229 โผ
๐ Read
via "National Vulnerability Database".
Due to an error in the software interface to the secure element chip on Bosch IP cameras of family CPP13 and CPP14, the chip can be permanently damaged when enabling the Stream security option (signing of the video stream) with option MD5, SHA-1 or SHA-256.๐ Read
via "National Vulnerability Database".
โ Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes โ
๐ Read
via "Naked Security".
No zero-days this month, if you ignore the Edge RCE hole patched last week๐ Read
via "Naked Security".
Sophos News
Naked Security โ Sophos News
โผ CVE-2023-3275 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in PHPGurukul Rail Pass Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view-pass-detail.php of the component POST Request Handler. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The identifier VDB-231625 was assigned to this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-25450 โผ
๐ Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP รขโฌโ Donation Plugin and Fundraising Platform plugin <=ร 2.25.1 versions.๐ Read
via "National Vulnerability Database".
๐ด Borderless Data vs. Data Sovereignty: Can They Co-Exist? ๐ด
๐ Read
via "Dark Reading".
Organizations that remain compliant with data-sovereignty regulations while enabling cross-border data sharing gain significant competitive advantage because they can make quick, agile, and informed decisions.๐ Read
via "Dark Reading".
Dark Reading
Borderless Data vs. Data Sovereignty: Can They Co-Exist?
Organizations that remain compliant with data-sovereignty regulations while enabling cross-border data sharing gain significant competitive advantage because they can make quick, agile, and informed decisions.