βΌ CVE-2021-32494 βΌ
π Read
via "National Vulnerability Database".
Radare2 has a division by zero vulnerability in Mach-O parser's rebase_buffer function. This allow attackers to create malicious inputs that can cause denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-36992 βΌ
π Read
via "National Vulnerability Database".
PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code.π Read
via "National Vulnerability Database".
βΌ CVE-2023-36256 βΌ
π Read
via "National Vulnerability Database".
The Online Examination System Project 1.0 version is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin's consent. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in a loss of data.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32495 βΌ
π Read
via "National Vulnerability Database".
Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory afterwards. This will allow attackers to cause denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-36994 βΌ
π Read
via "National Vulnerability Database".
In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code.π Read
via "National Vulnerability Database".
βΌ CVE-2023-36993 βΌ
π Read
via "National Vulnerability Database".
The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an attacker to guess the password reset.parameters and to take over accounts.π Read
via "National Vulnerability Database".
βοΈ Top Suspect in 2015 Ashley Madison Hack Committed Suicide in 2014 βοΈ
π Read
via "Krebs on Security".
When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users, the companyβs then-CEO Noel Biderman was quick to point the finger at an unnamed former contractor. But as a new documentary series on Hulu reveals [SPOILER ALERT!], there was just one problem with that theory: Their top suspect had killed himself more than a year before the hackers began publishing stolen user data.π Read
via "Krebs on Security".
Krebs on Security
Top Suspect in 2015 Ashley Madison Hack Committed Suicide in 2014
When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users, the companyβs then-CEO Noel Biderman was quick to point the finger at an unnamed former contractor. Butβ¦
π΄ Truebot Malware Variants Abound, According to CISA Advisory π΄
π Read
via "Dark Reading".
US and Canadian government agencies find that new variants of the malware are increasingly being utilized.π Read
via "Dark Reading".
Dark Reading
CISA: Truebot Malware Variants Turn to Netwirx Auditor RCE Bug
US and Canadian government agencies find that new variants of the malware are increasingly being utilized by exploiting an RCE bug.
π΄ Meta's Rush to Topple Twitter Sets Up Looming Privacy Debate π΄
π Read
via "Dark Reading".
GDPR is halting Meta's new Threads app from entering EU markets, portending a broader struggle over the right ways to collect user data on social apps.π Read
via "Dark Reading".
Dark Reading
Meta's Rush to Topple Twitter Sets Up Looming Privacy Debate
GDPR is halting Meta's new Threads app from entering EU markets, portending a broader struggle over the right ways to collect user data on social apps.
π΄ How to Safely Architect AI in Your Cybersecurity Programs π΄
π Read
via "Dark Reading".
Guardrails need to be set in place to ensure confidentiality of sensitive information, while still leveraging AI as a force multiplier for productivity.π Read
via "Dark Reading".
Dark Reading
How to Safely Architect AI in Your Cybersecurity Programs
Guardrails need to be set in place to ensure confidentiality of sensitive information, while still leveraging AI as a force multiplier for productivity.
π΄ Global Hacking Competition Addresses Critical Increase in Cybersecurity Threats for Businesses π΄
π Read
via "Dark Reading".
Hack The Box launches Capture The Flag competition, including offensive and defensive challenges, to unite teams as cyberattacks increase in 2023 to unprecedented levels.π Read
via "Dark Reading".
Dark Reading
Global Hacking Competition Addresses Critical Increase in Cybersecurity Threats for Businesses
Hack The Box launches Capture The Flag competition, including offensive and defensive challenges, to unite teams as cyberattacks increase in 2023 to unprecedented levels.
βΌ CVE-2023-37269 βΌ
π Read
via "National Vulnerability Database".
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37270 βΌ
π Read
via "National Vulnerability Database".
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-32000 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Scripting (XSS) vulnerability found in UniFi Network (Version 7.3.83 and earlier) allows a malicious actor with Site Administrator credentials to escalate privileges by persuading an Administrator to visit a malicious web page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3552 βΌ
π Read
via "National Vulnerability Database".
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10.π Read
via "National Vulnerability Database".
β€1
βΌ CVE-2023-3553 βΌ
π Read
via "National Vulnerability Database".
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10.π Read
via "National Vulnerability Database".
β€1π1
βΌ CVE-2023-3551 βΌ
π Read
via "National Vulnerability Database".
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.π Read
via "National Vulnerability Database".
β€1
π΄ How to Use Log Management to Retrace Your Digital Footsteps π΄
π Read
via "Dark Reading".
Log management tools help IT and security teams monitor and improve a system's performance by identifying bugs, cybersecurity breaches, and other issues that can create outages or compliance problems.π Read
via "Dark Reading".
Dark Reading
How to Use Log Management to Retrace Your Digital Footsteps
Log management tools help IT and security teams monitor and improve a system's performance by identifying bugs, cybersecurity breaches, and other issues that can create outages or compliance problems.
β€1
βΌ CVE-2023-37288 βΌ
π Read
via "National Vulnerability Database".
SmartBPM.NET has a vulnerability of using hard-coded authentication key. An unauthenticated remote attacker can exploit this vulnerability to access system with regular user privilege to read application data, and execute submission and approval processes.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37287 βΌ
π Read
via "National Vulnerability Database".
SmartBPM.NET has a vulnerability of using hard-coded authentication key. An unauthenticated remote attacker can exploit this vulnerability to access system with regular user privilege to read application data, and execute submission and approval processes.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37286 βΌ
π Read
via "National Vulnerability Database".
SmartSoft SmartBPM.NET has a vulnerability of using hard-coded machine key. An unauthenticated remote attacker can use the machine key to send serialized payload to the server to execute arbitrary code and disrupt service.π Read
via "National Vulnerability Database".