βΌ CVE-2023-38199 βΌ
π Read
via "National Vulnerability Database".
coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not block multiple Content-Type headers, which might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion." This occurs when the web application relies on only the last Content-Type header.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2190 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21238 βΌ
π Read
via "National Vulnerability Database".
In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21260 βΌ
π Read
via "National Vulnerability Database".
In notification access permission dialog box, malicious application can embedded a very long service label that overflow the original user prompt and possibly contains mis-leading information to be appeared as a system message for user confirmation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34128 βΌ
π Read
via "National Vulnerability Database".
Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34131 βΌ
π Read
via "National Vulnerability Database".
Exposure of sensitive information to an unauthorized actor vulnerability in SonicWall GMS and Analytics enables an unauthenticated attacker to access restricted web pages. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21257 βΌ
π Read
via "National Vulnerability Database".
In updateSettingsInternalLI of InstallPackageHelper.java, there is a possible way to sideload an app in the work profile due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2620 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0948 βΌ
π Read
via "National Vulnerability Database".
The PVRSRVBridgeGetMultiCoreInfo ioctl in the PowerVR kernel driver can return uninitialized kernel memory to user space. The contents of this memory could contain sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20942 βΌ
π Read
via "National Vulnerability Database".
In openMmapStream of AudioFlinger.cpp, there is a possible way to record audio without displaying the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21239 βΌ
π Read
via "National Vulnerability Database".
In visitUris of Notification.java, there is a possible way to leak image data across user boundaries due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-21400 βΌ
π Read
via "National Vulnerability Database".
In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34137 βΌ
π Read
via "National Vulnerability Database".
SonicWall GMS and Analytics CAS Web Services application use static values for authentication without proper checks leading to authentication bypass vulnerability. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-37567 βΌ
π Read
via "National Vulnerability Database".
ELECOM wireless LAN router WRC-1167GHBK3-A v1.24 and earlier allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page.π Read
via "National Vulnerability Database".
π¦Ώ Hiring Kit: Security Architect π¦Ώ
π Read
via "Tech Republic".
Developing and implementing both preventive security protocols and effective response plans is complicated and requires a security architect with a clear vision. This hiring kit from TechRepublic Premium provides a workable framework you can use to find the best candidate for your organization. From the hiring kit: DETERMINING FACTORS, DESIRABLE PERSONALITY TRAITS AND SKILLSETS Depending ...π Read
via "Tech Republic".
TechRepublic
Hiring Kit: Security Architect | TechRepublic
Developing and implementing both preventive security protocols and effective response plans is complicated and requires a security architect with a clear
βΌ CVE-2023-37415 βΌ
π Read
via "National Vulnerability Database".
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.Patching on top of CVE-2023-35797BeforeΓ 6.1.2Γ the proxy_user option can also inject semicolon.This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3319 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iDisplay PlatPlay DS allows Stored XSS.This issue affects PlatPlay DS: before 3.14.π Read
via "National Vulnerability Database".
βΌ CVE-2023-35069 βΌ
π Read
via "National Vulnerability Database".
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bullwark allows Path Traversal.This issue affects Bullwark: before BLW-2016E-960H.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2957 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lisa Software Florist Site allows SQL Injection.This issue affects Florist Site: before 3.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1547 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Elra Parkmatik allows SQL Injection through SOAP Parameter Tampering, Command Line Execution through SQL Injection.This issue affects Parkmatik: before 02.01-a51.π Read
via "National Vulnerability Database".
βΌ CVE-2023-29449 βΌ
π Read
via "National Vulnerability Database".
JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.π Read
via "National Vulnerability Database".