โผ CVE-2023-3817 โผ
๐ Read
via "National Vulnerability Database".
Issue summary: Checking excessively long DH keys or parameters may be very slow.Impact summary: Applications that use the functions DH_check(), DH_check_ex()or EVP_PKEY_param_check() to check a DH key or DH parameters may experience longdelays. Where the key or parameters that are being checked have been obtainedfrom an untrusted source this may lead to a Denial of Service.The function DH_check() performs various checks on DH parameters. After fixingCVE-2023-3446 it was discovered that a large q parameter value can also triggeran overly long computation during some of these checks. A correct q value,if present, cannot be larger than the modulus p parameter, thus it isunnecessary to perform these checks if q is larger than p.An application that calls DH_check() and supplies a key or parameters obtainedfrom an untrusted source could be vulnerable to a Denial of Service attack.The function DH_check() is itself called by a number of other OpenSSL functions.An application calling any of those other functions may similarly be affected.The other functions affected by this are DH_check_ex() andEVP_PKEY_param_check().Also vulnerable are the OpenSSL dhparam and pkeyparam command line applicationswhen using the "-check" option.The OpenSSL SSL/TLS implementation is not affected by this issue.The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.๐ Read
via "National Vulnerability Database".
โผ CVE-2020-36763 โผ
๐ Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in DuxCMS 2.1 allows remote attackers to run arbitrary code via the content, time, copyfrom parameters when adding or editing a post.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-4026 โผ
๐ Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4024. Reason: This record is a duplicate of CVE-2023-4024. Notes: All CVE users should reference CVE-2023-4024 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-34917 โผ
๐ Read
via "National Vulnerability Database".
Fuge CMS v1.0 contains an Open Redirect vulnerability in member/RegisterAct.java.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-37580 โผ
๐ Read
via "National Vulnerability Database".
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-38750 โผ
๐ Read
via "National Vulnerability Database".
In Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41, 9 before 9.0.0 Patch 34, and 10 before 10.0.2, internal JSP and XML files can be exposed.๐ Read
via "National Vulnerability Database".
๐ด Abyss Locker Ransomware Looks to Drown VMware's ESXi Servers ๐ด
๐ Read
via "Dark Reading".
The 4-month-old ransomware gang is now actively targeting VMware's virtual environments with a second variant of its custom malware.๐ Read
via "Dark Reading".
Dark Reading
Abyss Locker Ransomware Looks to Drown VMware's ESXi Servers
The 4-month-old ransomware gang is now actively targeting VMware's virtual environments with a second variant of its custom malware.
๐ด Air-Gapped ICS Systems Targeted by Sophisticated Malware ๐ด
๐ Read
via "Dark Reading".
Researchers uncovered new worming second-stage tools used to locally exfiltrate data from air gapped ICS environments, putting threat actors one step away from transmission of the info to a C2.๐ Read
via "Dark Reading".
Dark Reading
Air-Gapped ICS Systems Targeted by Sophisticated Malware
Researchers uncovered new worming second-stage tools used to locally exfiltrate data from air gapped ICS environments, putting threat actors one step away from transmission of the info to a C2.
โผ CVE-2023-38989 โผ
๐ Read
via "National Vulnerability Database".
An issue in the delete function in the UserController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete the Administrator's role information.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-3983 โผ
๐ Read
via "National Vulnerability Database".
An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752. An authenticated remote attacker can bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform blind SQL injection.๐ Read
via "National Vulnerability Database".
๐ด Protecting Intellectual Property When It Needs to Be Shared ๐ด
๐ Read
via "Dark Reading".
Companies should use a variety of tools and strategies, both technical and policy, to protect their IP from third-party risk.๐ Read
via "Dark Reading".
Dark Reading
Protecting Intellectual Property When It Needs to Be Shared
Companies should use a variety of tools and strategies, both technical and policy, to protect their IP from third-party risk.
๐ด China's Volt Typhoon APT Burrows Deeper into US Critical Infrastructure ๐ด
๐ Read
via "Dark Reading".
US officials are concerned that the Beijing-directed cyberattacks could be a precursor to military disruption and broader destructive attacks on citizens and businesses.๐ Read
via "Dark Reading".
Dark Reading
China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure
US officials are concerned that the Beijing-directed cyberattacks could be a precursor to military disruption and broader destructive attacks on citizens and businesses.
๐ฆฟ Reducing Generative AI Hallucinations and Trusting Your Data: Interview With Cognite CPO Moe Tanabian ๐ฆฟ
๐ Read
via "Tech Republic".
In a conversation with Cognite CPO Moe Tanabian, learn how industrial software can combine human and AI skills to create smarter digital twins.๐ Read
via "Tech Republic".
TechRepublic
Reducing Generative AI Hallucinations and Trusting Your Data: Interview With Cognite CPO Moe Tanabian
What should tech professionals who are concerned about AI hallucinations have in mind when determining whether to use generative AI products?
โผ CVE-2022-42183 โผ
๐ Read
via "National Vulnerability Database".
Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Server-Side Request Forgery (SSRF).๐ Read
via "National Vulnerability Database".
โค1
โผ CVE-2022-42182 โผ
๐ Read
via "National Vulnerability Database".
Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Directory Traversal.๐ Read
via "National Vulnerability Database".
โค1
๐ด What Implementing Biometrics for Authentication Looks Like ๐ด
๐ Read
via "Dark Reading".
CISOs are incorporating biometrics as part of their multifactor authentication strategies. This is what they should be thinking about during implementation.๐ Read
via "Dark Reading".
Dark Reading
What Implementing Biometrics for Authentication Looks Like
CISOs are incorporating biometrics as part of their multifactor authentication strategies. This is what they should be thinking about during implementation.
โค1
โผ CVE-2023-26139 โผ
๐ Read
via "National Vulnerability Database".
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like รขโฌล__proto__รขโฌ๏ฟฝ.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-23548 โผ
๐ Read
via "National Vulnerability Database".
Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32302 โผ
๐ Read
via "National Vulnerability Database".
Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.๐ Read
via "National Vulnerability Database".
๐1
๐ฆฟ TechRepublic Premium Editorial Calendar: IT Policies, Checklists, Hiring Kits and Research for Download ๐ฆฟ
๐ Read
via "Tech Republic".
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.๐ Read
via "Tech Republic".
TechRepublic
TechRepublic Premium Editorial Calendar: Policies, Hiring Kits, and Glossaries for Download
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
๐ด Why the California Delete Act Matters ๐ด
๐ Read
via "Dark Reading".
Bill 362 is a perfect template for a nationwide win against data brokers and the privacy infringements they cause.๐ Read
via "Dark Reading".
Dark Reading
Why the California Delete Act Matters
Bill 362 is a perfect template for a nationwide win against data brokers and the privacy infringements they cause.