⚠ SEC demands four-day disclosure limit for cybersecurity breaches ⚠
📖 Read
via "Naked Security".
When is a ransomware attack a reportable matter? And how long have you got to decide?📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
👍1
‼ CVE-2023-37478 ‼
📖 Read
via "National Vulnerability Database".
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4047 ‼
📖 Read
via "National Vulnerability Database".
A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31710 ‼
📖 Read
via "National Vulnerability Database".
TP-Link Archer AX21(US)_V3_1.1.4 Build 20230219 and AX21(US)_V3.6_1.1.4 Build 20230219 are vulnerable to Buffer Overflow.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-4051 ‼
📖 Read
via "National Vulnerability Database".
A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-39108 ‼
📖 Read
via "National Vulnerability Database".
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4046 ‼
📖 Read
via "National Vulnerability Database".
In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39110 ‼
📖 Read
via "National Vulnerability Database".
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4052 ‼
📖 Read
via "National Vulnerability Database".
The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116 and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-39109 ‼
📖 Read
via "National Vulnerability Database".
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4049 ‼
📖 Read
via "National Vulnerability Database".
Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4045 ‼
📖 Read
via "National Vulnerability Database".
Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39986 ‼
📖 Read
via "National Vulnerability Database".
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38357 ‼
📖 Read
via "National Vulnerability Database".
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4048 ‼
📖 Read
via "National Vulnerability Database".
An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4050 ‼
📖 Read
via "National Vulnerability Database".
In some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-34634 ‼
📖 Read
via "National Vulnerability Database".
Greenshot 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-4053 ‼
📖 Read
via "National Vulnerability Database".
A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39987 ‼
📖 Read
via "National Vulnerability Database".
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.📖 Read
via "National Vulnerability Database".
🕴 CISA: 'Submarine' Backdoor Torpedoes Barracuda Email Security 🕴
📖 Read
via "Dark Reading".
A China-nexus cyber espionage campaign rages on with the fourth backdoor to surface in the wild that takes advantage of the CVE-2023-2868 zero-day security bug — with severe threat of lateral movement, CISA warns.📖 Read
via "Dark Reading".
Dark Reading
CISA: 'Submarine' Backdoor Torpedoes Barracuda Email Security
A China-nexus cyber-espionage campaign rages on with the fourth backdoor to surface in the wild that takes advantage of the CVE-2023-2868 zero-day security bug — with severe threat of lateral movement, CISA warns.
🕴 Lessons Not Learned From Software Supply Chain Attacks 🕴
📖 Read
via "Dark Reading".
Businesses that develop business-, mission-, or safety-critical software must learn from previous victims of software supply chain attacks.📖 Read
via "Dark Reading".
Dark Reading
Lessons Not Learned From Software Supply Chain Attacks
Businesses that develop business-, mission-, or safety-critical software must learn from previous victims of software supply chain attacks.