βΌ CVE-2023-3617 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Best POS Management System 1.0. It has been classified as critical. This affects an unknown part of the file admin_class.php of the component Login Page. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233565 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37658 βΌ
π Read
via "National Vulnerability Database".
fast-poster v2.15.0 is vulnerable to Cross Site Scripting (XSS). File upload check binary of img, but without strictly check file suffix at /server/fast.py -> ApiUploadHandler.post causes stored XSSπ Read
via "National Vulnerability Database".
βΌ CVE-2023-37656 βΌ
π Read
via "National Vulnerability Database".
WebsiteGuide v0.2 is vulnerable to Remote Command Execution (RCE) via image upload.π Read
via "National Vulnerability Database".
π΄ Apple's Rapid Zero-Day Patch Causes Safari Issues, Users Say π΄
π Read
via "Dark Reading".
Apple's emergency fix for a code-execution bug being actively exploited in the wild is reportedly buggy itself, and some indications point to the Cupertino giant halting patch rollouts.π Read
via "Dark Reading".
Dark Reading
Apple's Rapid Zero-Day Patch Causes Safari Issues, Users Say
Apple's emergency fix for a code-execution bug being actively exploited in the wild is reportedly buggy itself, and some indications point to the Cupertino giant halting patch rollouts.
π΄ Critical VMware Bug Exploit Code Released Into the Wild π΄
π Read
via "Dark Reading".
The exploit code was brought to VMware's attention by an anonymous researcher, in tandem with the Trend Micro Zero Day Initiative.π Read
via "Dark Reading".
Dark Reading
Critical VMware Bug Exploit Code Released Into the Wild
The exploit code was brought to VMware's attention by an anonymous researcher, in tandem with the Trend Micro Zero Day Initiative.
π OATH Toolkit 2.6.9 π
π Read
via "Packet Storm Security".
OATH Toolkit attempts to collect several tools that are useful when deploying technologies related to OATH, such as HOTP one-time passwords. It is a fork of the earlier HOTP Toolkit.π Read
via "Packet Storm Security".
Packetstormsecurity
OATH Toolkit 2.6.9 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π΄ Cyberattacks Are a War We'll Never Win, but We Can Defend Ourselves π΄
π Read
via "Dark Reading".
Giving ourselves a chance in this fight means acknowledging that yesterday's successful defensive tactics may already be obsolete.π Read
via "Dark Reading".
Dark Reading
Cyberattacks Are a War We'll Never Win, but We Can Defend Ourselves
Giving ourselves a chance in this fight means acknowledging that yesterday's successful defensive tactics may already be obsolete.
π1
π΄ Mastodon Patches 4 Bugs, but Is the Twitter Killer Safe to Use? π΄
π Read
via "Dark Reading".
Platform's independent server "instances" may have different security levels, creating potential for supply chain-like vulnerabilities.π Read
via "Dark Reading".
Dark Reading
Mastodon Patches 4 Bugs, but Is the Twitter Killer Safe to Use?
Platform's independent server "instances" may have different security levels, creating potential for supply chain-like vulnerabilities.
βΌ CVE-2023-25606 βΌ
π Read
via "National Vulnerability Database".
An improper limitation of a pathname to a restricted directory ('Path Traversal')Γ vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interfaceΓ 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4 Γ all versions may allow a remote andΓ authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-36824 βΌ
π Read
via "National Vulnerability Database".
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3627 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24881 βΌ
π Read
via "National Vulnerability Database".
Microsoft Teams Information Disclosure Vulnerabilityπ Read
via "National Vulnerability Database".
βΌ CVE-2023-37596 βΌ
π Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via a crafted script to the deleteuser function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37597 βΌ
π Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete user grouplist function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26861 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability found in PrestaShop vivawallet v.1.7.10 and before allows a remote attacker to gain privileges via the vivawallet() module.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23447 βΌ
π Read
via "National Vulnerability Database".
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieveΓ arbitrary files from the underlying filesystem via specially crafted web requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3623 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Suncreate Mountain Flood Disaster Prevention Monitoring and Early Warning System up to 20230704. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Duty/AjaxHandle/UploadHandler.ashx of the component Duty Module. The manipulation of the argument Filedata leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-233576. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3108 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the subsequent get_user_pages_fast in the Linux kernelΓ’β¬β’s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows a local user to crash the system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3354 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3619 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester AC Repair and Services System 1.0 and classified as critical. This issue affects some unknown processing of the file Master.php?f=save_service of the component HTTP POST Request Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The identifier VDB-233573 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3621 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in IBOS OA 4.5.5. It has been classified as critical. Affected is the function createDeleteCommand of the file ?r=article/default/delete of the component Delete Packet. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-233574 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".