πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
@cibsecurity
25.8K subscribers
89.2K links
πŸ—ž The finest daily news on cybersecurity and privacy.

πŸ”” Daily releases.

πŸ’» Is your online life secure?

πŸ“© lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
25.8K subscribers
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-36462 β€Ό

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

πŸ“– Read

via "National Vulnerability Database".
250 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-29824 β€Ό

A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0.

πŸ“– Read

via "National Vulnerability Database".
265 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-20899 β€Ό

VMware SD-WAN (Edge) contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.

πŸ“– Read

via "National Vulnerability Database".
258 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-36859 β€Ό

PiiGAB M-Bus SoftwarePack 900Sdoes not correctly sanitize user input, which could allow an attacker to inject arbitrary commands.

πŸ“– Read

via "National Vulnerability Database".
264 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-36829 β€Ό

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2.

πŸ“– Read

via "National Vulnerability Database".
299 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-31277 β€Ό

PiiGAB M-Bus transmits credentials in plaintext format.

πŸ“– Read

via "National Vulnerability Database".
296 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-33868 β€Ό

The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication.

πŸ“– Read

via "National Vulnerability Database".
❀1
302 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-35987 β€Ό

PiiGAB M-Bus contains hard-coded credentials which it uses for authentication.

πŸ“– Read

via "National Vulnerability Database".
321 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-34433 β€Ό

PiiGAB M-Bus stores passwords using a weak hash algorithm.

πŸ“– Read

via "National Vulnerability Database".
292 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-32652 β€Ό

PiiGAB M-BusΓ‚ does not validate identification strings before processing, which could make it vulnerable to cross-site scripting attacks.

πŸ“– Read

via "National Vulnerability Database".
297 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-37192 β€Ό

Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.

πŸ“– Read

via "National Vulnerability Database".
293 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-34995 β€Ό

There are no requirements for setting a complex passwordΓ‚ for PiiGAB M-Bus, which could contribute to a successful brute force attack if the password is inline with recommended password guidelines.

πŸ“– Read

via "National Vulnerability Database".
272 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-3532 β€Ό

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1.

πŸ“– Read

via "National Vulnerability Database".
266 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-35120 β€Ό

PiiGAB M-Bus is vulnerable to cross-site request forgery. An attacker who wants to execute a certain command could send a phishing mail to the owner of the device and hope that the owner clicks on the link. If the owner of the device has a cookie stored that allows the owner to be logged in, then the device could execute the GET or POST link request.

πŸ“– Read

via "National Vulnerability Database".
307 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-35890 β€Ό

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security, caused by the improper encoding in a local configuration file. IBM X-Force ID: 258637.

πŸ“– Read

via "National Vulnerability Database".
364 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-35765 β€Ό

PiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.

πŸ“– Read

via "National Vulnerability Database".
434 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ Why are cyber criminals targeting the UK? πŸ“’

Attacks will continue until threat actors are hit in their wallets

πŸ“– Read

via "ITPro".
ITPro
Why are cyber criminals targeting the UK?
Attacks will continue until threat actors are hit in their wallets
517 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-32183 β€Ό

Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed hawk2 package allows users with access to the hacluster to escalate to rootThis issue affects openSUSE Tumbleweed.

πŸ“– Read

via "National Vulnerability Database".
482 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-33008 β€Ό

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon.A malicious attacker can craft up some JSON input that uses large numbers (numbers such asΓ‚ 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

πŸ“– Read

via "National Vulnerability Database".
471 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-3536 β€Ό

A vulnerability was found in SimplePHPscripts Funeral Script PHP 3.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-233288.

πŸ“– Read

via "National Vulnerability Database".
402 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2023-37308 β€Ό

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

πŸ“– Read

via "National Vulnerability Database".
350 views