βΌ CVE-2023-36468 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take CVE-2022-36100/GHSA-2g5c-228j-p52x as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction steps so remote code execution is possible even after upgrading. Therefore, this affects the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability also affects manually added script macros that contained security vulnerabilities that were later fixed by changing the script macro without deleting the versions with the security vulnerability from the history. This vulnerability doesn't affect freshly installed versions of XWiki. Further, this vulnerability doesn't affect content that is only loaded from the current version of a document like the code of wiki macros or UI extensions. This vulnerability has been patched in XWiki 14.10.7 and 15.2RC1 by forcing old revisions to be executed in a restricted mode that disables all script macros. As a workaround, admins can manually delete old revisions of affected documents. A script could be used to identify all installed documents and delete the history for them. However, also manually added and later corrected code may be affected by this vulnerability so it is easy to miss documents.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26710 βΌ
π Read
via "National Vulnerability Database".
easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3464 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SimplePHPscripts Classified Ads Script 1.8. It has been classified as problematic. Affected is an unknown function of the file /preview.php of the component URL Parameter Handler. The manipulation of the argument p leads to cross site scripting. It is possible to launch the attack remotely. It is recommended to upgrade the affected component. VDB-232710 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
β€3
βΌ CVE-2023-26966 βΌ
π Read
via "National Vulnerability Database".
libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.π Read
via "National Vulnerability Database".
β€3
βΌ CVE-2023-2846 βΌ
π Read
via "National Vulnerability Database".
Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series main modules allows a remote unauthenticated attacker to cancel the password/keyword setting and login to the affected products by sending specially crafted packets.π Read
via "National Vulnerability Database".
β€1
βΌ CVE-2023-32613 βΌ
π Read
via "National Vulnerability Database".
Exposure of resource to wrong sphere issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow a network-adjacent attacker to use functions originally available after login without logging in.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3474 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in SimplePHPscripts Simple Blog 3.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. It is recommended to upgrade the affected component. The identifier VDB-232753 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3473 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, was found in Campcodes Retro Cellphone Online Store 1.0. Affected is an unknown function of the file /admin/edit_product.php. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232752.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3475 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SimplePHPscripts Event Script 2.1 and classified as problematic. Affected by this issue is some unknown functionality of the file preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. It is recommended to upgrade the affected component. VDB-232754 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32622 βΌ
π Read
via "National Vulnerability Database".
Improper neutralization of special elements in WL-WN531AX2 firmware versions prior to 2023526 allows an attacker with an administrative privilege to execute OS commands with the root privilege.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28387 βΌ
π Read
via "National Vulnerability Database".
"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32621 βΌ
π Read
via "National Vulnerability Database".
WL-WN531AX2 firmware versions prior to 2023526 allows an attacker with an administrative privilege to upload arbitrary files and execute OS commands with the root privilege.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26135 βΌ
π Read
via "National Vulnerability Database".
All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in flatnest/nest.js file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3477 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in RocketSoft Rocket LMS 1.7. It has been declared as problematic. This vulnerability affects unknown code of the file /contact/store of the component Contact Form. The manipulation of the argument name/subject/message leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-232756.π Read
via "National Vulnerability Database".
β€1
βΌ CVE-2023-32612 βΌ
π Read
via "National Vulnerability Database".
Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3476 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SimplePHPscripts GuestBook Script 2.2. It has been classified as problematic. This affects an unknown part of the file preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-232755.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32620 βΌ
π Read
via "National Vulnerability Database".
Improper authentication vulnerability in WL-WN531AX2 firmware versions prior to 2023526 allows a network-adjacent attacker to obtain a password for the wireless network.π Read
via "National Vulnerability Database".
π’ Rubrik partners with Microsoft to drive generative AI-powered cyber recovery π’
π Read
via "ITPro".
Rubrik Security Cloud will integrate with Microsoft Sentinel and Azure OpenAI to accelerate recovery from cyber attacks π Read
via "ITPro".
ITPro
Rubrik partners with Microsoft to drive generative AI-powered cyber recovery
Rubrik Security Cloud will integrate with Microsoft Sentinel and Azure OpenAI to accelerate recovery from cyber attacks
π’ NHS data leak raises βserious questionsβ about Manchester University cyber attack π’
π Read
via "ITPro".
NHS patient data used for research purposes is believed to have been compromised in the June attack π Read
via "ITPro".
ITPro
NHS data leak raises βserious questionsβ about Manchester University cyber attack
NHS patient data used for research purposes is believed to have been compromised in the June attack
βΌ CVE-2023-3479 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.π Read
via "National Vulnerability Database".
π’ TSMC faces $70 million LockBit ransom demand following hardware supplier breach π’
π Read
via "ITPro".
While TSMC has confirmed the breach, it has refuted claims that company operations have been disrupted by the incident π Read
via "ITPro".
ITPro
TSMC faces $70 million LockBit ransom demand following hardware supplier breach
While TSMC has confirmed the breach, it has refuted claims that company operations have been disrupted by the incident