โผ CVE-2023-31926 โผ
๐ Read
via "National Vulnerability Database".
System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2022-2416 โผ
๐ Read
via "National Vulnerability Database".
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-3401 โผ
๐ Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-4016 โผ
๐ Read
via "National Vulnerability Database".
Under some circumstances, this weakness allows a user who has access to run the รขโฌลpsรขโฌ๏ฟฝ utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-4011 โผ
๐ Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE affecting all versions from 15.11 prior to 16.2.2 which allows an attacker to spike the resource consumption resulting in DoS.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-4067 โผ
๐ Read
via "National Vulnerability Database".
The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab_date' and 'tab_date_r' parameters in versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2022 โผ
๐ Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge๐ Read
via "National Vulnerability Database".
โผ CVE-2023-38556 โผ
๐ Read
via "National Vulnerability Database".
Improper input validation vulnerability in SEIKO EPSON printer Web Config allows a remote attacker to turned off the printer.[Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers via a web browser. Web Config is pre-installed in some printers provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-3426 โผ
๐ Read
via "National Vulnerability Database".
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.๐ Read
via "National Vulnerability Database".
๐ด Unified XDR and SIEM Alleviate Security Alert Fatigue ๐ด
๐ Read
via "Dark Reading".
By integrating detection response with information and event management, organizations can move beyond protective controls and harden their defenses.๐ Read
via "Dark Reading".
Dark Reading
Unified XDR and SIEM Alleviate Security Alert Fatigue
By integrating detection response with information and event management, organizations can move beyond protective controls and harden their defenses.
๐ด Utilities Face Security Challenges as They Embrace Data in New Ways ๐ด
๐ Read
via "Dark Reading".
A culture of cybersecurity and implementing industry best practices can go a long way toward protecting a utility.๐ Read
via "Dark Reading".
Dark Reading
Utilities Face Security Challenges as They Embrace Data in New Ways
A culture of cybersecurity and implementing industry best practices can go a long way toward protecting a utility.
โผ CVE-2023-26439 โผ
๐ Read
via "National Vulnerability Database".
The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26441 โผ
๐ Read
via "National Vulnerability Database".
Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26450 โผ
๐ Read
via "National Vulnerability Database".
The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26430 โผ
๐ Read
via "National Vulnerability Database".
Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. This could be abused to access SIEVE extension that are not allowed by App Suite or to inject rules which would break per-user filter processing, requiring manual cleanup of such rules. We have added sanitization to all mail-filter APIs to avoid forwardning control characters to subsystems. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26448 โผ
๐ Read
via "National Vulnerability Database".
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content for those locations to avoid redirects to malicious content. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26445 โผ
๐ Read
via "National Vulnerability Database".
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26440 โผ
๐ Read
via "National Vulnerability Database".
The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26438 โผ
๐ Read
via "National Vulnerability Database".
External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correctly were able to inject configuration that would bypass existing network deny-lists. Attackers could exploit this weakness to discover the existence of restricted network infrastructure and service availability. Improvements were made to include deny-lists not only during the check of the provided connection data, but also during use. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26447 โผ
๐ Read
via "National Vulnerability Database".
The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26446 โผ
๐ Read
via "National Vulnerability Database".
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known.๐ Read
via "National Vulnerability Database".