βΌ CVE-2023-39834 βΌ
π Read
via "National Vulnerability Database".
PbootCMS below v3.2.0 was discovered to contain a command injection vulnerability via create_function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4418 βΌ
π Read
via "National Vulnerability Database".
A remote unprivileged attacker can sent multiple packages to the LMS5xx to disrupt its availability through a TCP SYN-based denial-of-service (DDoS) attack. By exploiting this vulnerability, an attacker can flood the targeted LMS5xx with a high volume of TCP SYN requests, overwhelming its resources and causing it to become unresponsive or unavailable for legitimate users.π Read
via "National Vulnerability Database".
βΌ CVE-2023-40898 βΌ
π Read
via "National Vulnerability Database".
Tenda AC8 v4 US_AC8V4.0si_V16.03.34.06_cn was discovered to contain a stack overflow via parameter timeZone at /goform/SetSysTimeCfg.π Read
via "National Vulnerability Database".
π΄ US Space Industry More Prone to Foreign Espionage, US Agencies Warn π΄
π Read
via "Dark Reading".
Foreign intelligence entities have the US space industry in their sights, posing serious threats to US national security, multiple federal agencies say.π Read
via "Dark Reading".
Dark Reading
US Space Industry More Prone to Foreign Espionage, US Agencies Warn
Foreign intelligence entities have the US space industry in their sights, posing serious threats to US national security, multiple federal agencies say.
π1
π΄ Kyndryl and Cisco Expand Partnership Focusing on Cyber Resilience π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Kyndryl and Cisco Expand Partnership Focusing on Cyber Resilience
NEW YORK, August 24, 2023 β Kyndryl (NYSE: KD), the worldβs largest IT infrastructure services provider, today announced an expanded technology partnership with Cisco to deliver services focused on cyber resilience. Through this partnership, Kyndryl willβ¦
π΄ Cypago Raises $13M and Unveils its Cyber GRC Automation (CGA) Platform to Simplify GRC Processes π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Cypago Raises $13M and Unveils its Cyber GRC Automation (CGA) Platform to Simplify GRC Processes
[Tel Aviv, 24th August, 2023] β Cypago announced the release of its Cyber GRC Automation (CGA) platform today, revolutionizing the GRC space by bridging the gap between management, security, and operations teams. This announcement follows the companyβs $13Mβ¦
π¦Ώ Major US Energy Company Hit by QR Code Phishing Campaign π¦Ώ
π Read
via "Tech Republic".
This QR code phishing campaign is targeting multiple industries and using legitimate services such as Microsoft Bing to increase its efficiency and bypass security.π Read
via "Tech Republic".
TechRepublic
Major US Energy Company Hit by QR Code Phishing Campaign
Learn more about the QR code phishing campaign targeting several industries, and how to stay safe from these types of threats.
π΄ Black Hat USA 2023 Closes on Record-Breaking Event in Las Vega π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Black Hat USA 2023 Closes on Record-Breaking Event in Las Vega
SAN FRANCISCO -- (BUSINESS WIRE) -- Black Hat, the producer of the cybersecurity industryβs most established and in-depth security events, today announced the successful completion of the in-person component of Black Hat USA 2023. The event welcomed moreβ¦
π΄ Malwarebytes Announces Acquisition of Online Privacy Company Cyrus π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Malwarebytes Announces Acquisition of Online Privacy Company Cyrus
ANTA CLARA, Calif., Aug. 24, 2023 /PRNewswire/ -- Malwarebytes, a global leader in real-time cyber protection, announced the acquisition of Cyrus, a disruptive innovator in online privacy solutions. This strategic acquisition reinforces Malwarebytes' commitmentβ¦
βΌ CVE-2023-39801 βΌ
π Read
via "National Vulnerability Database".
A lack of exception handling in the Renault Easy Link Multimedia System Software Version 283C35519R allows attackers to cause a Denial of Service (DoS) via supplying crafted WMA files when connecting a device to the vehicle's USB plug and play feature.π Read
via "National Vulnerability Database".
π΄ Cerby Announces $17M in Series A Funding to Secure Nonstandard Applications π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Cerby Announces $17M in Series A Funding to Secure Nonstandard Applications
ALAMEDA, Calif., Aug. 22, 2023 /PRNewswire/ -- Cerby, the comprehensive access management platform for nonstandard applications, today announced that the company has raised $17 million in Series A funding. Two Sigma Ventures led the round with significantβ¦
βΌ CVE-2023-32078 βΌ
π Read
via "National Vulnerability Database".
Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37469 βΌ
π Read
via "National Vulnerability Database".
CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39521 βΌ
π Read
via "National Vulnerability Database".
Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped. An agile dashboard administrator deleting a kanban with a malicious label can be forced to execute uncontrolled code. Tuleap Community Edition 14.11.99.28, Tuleap Enterprise Edition 14.10-6, and Tuleap Enterprise Edition 14.11-3 contain a fix for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39519 βΌ
π Read
via "National Vulnerability Database".
Cloud Explorer Lite is an open source cloud management platform. Prior to version 1.4.0, there is a risk of sensitive information leakage in the user information acquisition of CloudExplorer Lite. The vulnerability has been fixed in version 1.4.0.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32077 βΌ
π Read
via "National Vulnerability Database".
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32079 βΌ
π Read
via "National Vulnerability Database".
Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4508 βΌ
π Read
via "National Vulnerability Database".
A user able to control file input to Gerbv, between versions 2.4.0 and 2.10.0, can cause a crash and cause denial-of-service with a specially crafted Gerber RS-274X file.π Read
via "National Vulnerability Database".
βΌ CVE-2023-40017 βΌ
π Read
via "National Vulnerability Database".
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.π Read
via "National Vulnerability Database".
βΌ CVE-2023-40030 βΌ
π Read
via "National Vulnerability Database".
Cargo downloads a Rust projectΓ’β¬β’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected.Rust 1.60.0 introduced `cargo build --timings`, which produces a report of how long the different steps of the build process took. It includes lists of Cargo features for each crate. Prior to Rust 1.72, Cargo feature names were allowed to contain almost any characters (with some exceptions as used by the feature syntax), but it would produce a future incompatibility warning about them since Rust 1.49. crates.io is far more stringent about what it considers a valid feature name and has not allowed such feature names. As the feature names were included unescaped in the timings report, they could be used to inject Javascript into the page, for example with a feature name like `features = ["<img src='' onerror=alert(0)"]`. If this report were subsequently uploaded to a domain that uses credentials, the injected Javascript could access resources from the website visitor.This issue was fixed in Rust 1.72 by turning the future incompatibility warning into an error. Users should still exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io has server-side checks preventing this attack, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.π Read
via "National Vulnerability Database".