‼ CVE-2023-40193 ‼
📖 Read
via "National Vulnerability Database".
Deco M4 firmware versions prior to 'Deco M4(JP)_V2_1.5.8 Build 20230619' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37284 ‼
📖 Read
via "National Vulnerability Database".
Improper authentication vulnerability in Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616' allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command via a crafted request to bypass authentication.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40357 ‼
📖 Read
via "National Vulnerability Database".
Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer AX50 firmware versions prior to 'Archer AX50(JP)_V1_230529', Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504', Archer AX10 firmware versions prior to 'Archer AX10(JP)_V1.2_230508', and Archer AX11000 firmware versions prior to 'Archer AX11000(JP)_V1_230523'.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39224 ‼
📖 Read
via "National Vulnerability Database".
Archer C5 firmware all versions and Archer C7 firmware versions prior to 'Archer C7(JP)_V2_230602' allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Note that Archer C5 is no longer supported, therefore the update for this product is not provided.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36489 ‼
📖 Read
via "National Vulnerability Database".
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: TL-WR802N firmware versions prior to 'TL-WR802N(JP)_V4_221008', TL-WR841N firmware versions prior to 'TL-WR841N(JP)_V14_230506', and TL-WR902AC firmware versions prior to 'TL-WR902AC(JP)_V3_230506'.📖 Read
via "National Vulnerability Database".
🕴 Overcoming Open Source Vulnerabilities in the Software Supply Chain 🕴
📖 Read
via "Dark Reading".
By securing access to code and running scans against all code changes, developers can better prevent — and detect — potential risks and vulnerabilities.📖 Read
via "Dark Reading".
Dark Reading
Overcoming Open Source Vulnerabilities in the Software Supply Chain
By securing access to code and running scans against all code changes, developers can better prevent — and detect — potential risks and vulnerabilities.
‼ CVE-2023-41944 ‼
📖 Read
via "National Vulnerability Database".
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27526 ‼
📖 Read
via "National Vulnerability Database".
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. 📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41932 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41937 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36388 ‼
📖 Read
via "National Vulnerability Database".
Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4589 ‼
📖 Read
via "National Vulnerability Database".
Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41933 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41931 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39264 ‼
📖 Read
via "National Vulnerability Database".
By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41934 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4588 ‼
📖 Read
via "National Vulnerability Database".
File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application's webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41940 ‼
📖 Read
via "National Vulnerability Database".
Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41936 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41943 ‼
📖 Read
via "National Vulnerability Database".
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41150 ‼
📖 Read
via "National Vulnerability Database".
F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.📖 Read
via "National Vulnerability Database".