‼ CVE-2023-24497 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail_device functionality of Milesight VPN v2.0.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities.This XSS is exploited through the remote_subnet field of the database📖 Read
via "National Vulnerability Database".
🕴 Cybersecurity's Future Hinges on Stronger Public-Private Partnerships 🕴
📖 Read
via "Dark Reading".
Public and private sector organizations must collaborate on a shared cybersecurity agenda to protect and benefit society at large. 📖 Read
via "Dark Reading".
Dark Reading
Cybersecurity's Future Hinges on Stronger Public-Private Partnerships
Public and private sector organizations must collaborate on a shared cybersecurity agenda to protect and benefit society at large.
👍1
🕴 Privacy Woes Hold Up Global Instagram Threads Launch 🕴
📖 Read
via "Dark Reading".
Meta's answer to Twitter went live and quickly racked up millions of members — but the social media app's privacy practices are under the microscope.📖 Read
via "Dark Reading".
Dark Reading
Privacy Woes Hold Up Global Instagram Threads Launch
Meta's answer to Twitter went live and quickly racked up millions of members — but the social media app's privacy practices are under the microscope.
‼ CVE-2023-37454 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30320 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30319 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-34193 ‼
📖 Read
via "National Vulnerability Database".
File Upload vulnerability in Zimbra ZCS 8.8.15 allows an authenticated privileged user to execute arbitrary code and obtain sensitive information via the ClientUploader function.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-29382 ‼
📖 Read
via "National Vulnerability Database".
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36830 ‼
📖 Read
via "National Vulnerability Database".
SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the `library_path` config value to allow arbitrary python code to be executed via macros. For many users who use SQLFluff in the context of an environment where all users already have fairly escalated privileges, this may not be an issue - however in larger user bases, or where SQLFluff is bundled into another tool where developers still wish to give users access to supply their on rule configuration, this may be an issue.The 2.1.2 release offers the ability for the `library_path` argument to be overwritten on the command line by using the `--library-path` option. This overrides any values provided in the config files and effectively prevents this route of attack for users which have access to the config file, but not to the scripts which call the SQLFluff CLI directly. A similar option is provided for the Python API, where users also have a greater ability to further customise or override configuration as necessary. Unless `library_path` is explicitly required, SQLFluff maintainers recommend using the option `--library-path none` when invoking SQLFluff which will disable the `library-path` option entirely regardless of the options set in the configuration file or via inline config directives. As a workaround, limiting access to - or otherwise validating configuration files before they are ingested by SQLFluff will provides a similar effect and does not require upgrade.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36823 ‼
📖 Read
via "National Vulnerability Database".
Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37453 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30321 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37260 ‼
📖 Read
via "National Vulnerability Database".
league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-34192 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29381 ‼
📖 Read
via "National Vulnerability Database".
An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep142: Putting the X in X-Ops ⚠
📖 Read
via "Naked Security".
How to get all your corporate "Ops" teams working together, with cybersecurity correctness as a guiding light.📖 Read
via "Naked Security".
Naked Security
S3 Ep142: Putting the X in X-Ops
How to get all your corporate “Ops” teams working together, with cybersecurity correctness as a guiding light.
🤯1
🕴 Patchless Cisco Flaw Breaks Cloud Encryption for ACI Traffic 🕴
📖 Read
via "Dark Reading".
Vulnerable Nexus 9000 Series Fabric Switches in ACI mode should be disabled, Cisco advises.📖 Read
via "Dark Reading".
Dark Reading
Patchless Cisco Flaw Breaks Cloud Encryption for ACI Traffic
Vulnerable Nexus 9000 Series Fabric Switches in ACI mode should be disabled, Cisco advises.
🕴 Shell Becomes Latest Cl0p MOVEit Victim 🕴
📖 Read
via "Dark Reading".
In another MOVEit attack, oil and gas giant Shell saw the release of the private information of its employees.📖 Read
via "Dark Reading".
Dark Reading
Shell Becomes Latest Cl0p MOVEit Victim
In another MOVEit attack, oil and gas giant Shell saw the release of the private information of its employees.
‼ CVE-2023-3528 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in ThinuTech ThinuCMS 1.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file /category.php. The manipulation of the argument cat_id leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-233252.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36461 ‼
📖 Read
via "National Vulnerability Database".
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36459 ‼
📖 Read
via "National Vulnerability Database".
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.📖 Read
via "National Vulnerability Database".