βΌ CVE-2023-4588 βΌ
π Read
via "National Vulnerability Database".
File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application's webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41940 βΌ
π Read
via "National Vulnerability Database".
Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41936 βΌ
π Read
via "National Vulnerability Database".
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41943 βΌ
π Read
via "National Vulnerability Database".
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41150 βΌ
π Read
via "National Vulnerability Database".
F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41939 βΌ
π Read
via "National Vulnerability Database".
Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41947 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41945 βΌ
π Read
via "National Vulnerability Database".
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41941 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41946 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.π Read
via "National Vulnerability Database".
π΄ Google's Souped-up Chrome Store Review Process Foiled by Data-Stealer π΄
π Read
via "Dark Reading".
Researchers have discovered that despite Google's adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process.π Read
via "Dark Reading".
Dark Reading
Google's Souped-up Chrome Store Review Process Foiled by Data-Stealer
Researchers have discovered that despite Google's adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process.
π1
π΄ Russia's 'Fancy Bear' APT Targets Ukrainian Energy Facility π΄
π Read
via "Dark Reading".
The group, best known for 2016 US election interference and other attacks on Ukraine, used phishing emails offering pictures of women to lure its victim into opening a malicious attachment.π Read
via "Dark Reading".
Dark Reading
Russia's 'Fancy Bear' APT Targets Ukrainian Energy Facility
The group, best known for 2016 US election interference and other attacks on Ukraine, used phishing emails offering pictures of women to lure its victim into opening a malicious attachment.
π΄ MinIO Attack Showcases Fresh Corporate Cloud Attack Vector π΄
π Read
via "Dark Reading".
The open source object storage service was the target of a never-before-seen attack on corporate cloud services, which researchers said should put DevOps in particular on notice.π Read
via "Dark Reading".
Dark Reading
MinIO Cyberattack Showcases Fresh Corporate Cloud Vector
The open source object storage service was the target of a never-before-seen attack on corporate cloud services, which researchers said should put DevOps in particular on notice.
βΌ CVE-2023-4498 βΌ
π Read
via "National Vulnerability Database".
Tenda N300 Wireless N VDSL2 Modem Router allows unauthenticated access to pages that in turn should be accessible to authenticated users onlyπ Read
via "National Vulnerability Database".
βΌ CVE-2021-36646 βΌ
π Read
via "National Vulnerability Database".
A Cross Site Scrtpting (XSS) vulnerability in KodExplorer 4.45 allows remote attackers to run arbitrary code via /index.php page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20250 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of requests that are sent to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code with root privileges on an affected device. To exploit this vulnerability, the attacker must have valid Administrator credentials on the affected device.π Read
via "National Vulnerability Database".
π΄ AtlasVPN Linux Zero-Day Disconnects Users, Reveals IP Addresses π΄
π Read
via "Dark Reading".
All it takes is a simple copy-paste to undo a VPN service used by millions worldwide.π Read
via "Dark Reading".
Dark Reading
AtlasVPN Linux Zero-Day Disconnects Users, Reveals IP Addresses
All it takes is a simple copy-paste to undo a VPN service used by millions worldwide.
βΌ CVE-2020-10130 βΌ
π Read
via "National Vulnerability Database".
SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38484 βΌ
π Read
via "National Vulnerability Database".
Vulnerabilities exist in the BIOS implementation of Aruba 9200 and 9000 Series Controllers and Gateways that couldΓ allow an attacker to execute arbitrary code early in the bootΓ sequence. An attacker could exploit this vulnerability toΓ gain access to and change underlying sensitive informationΓ in the affected controller leading to complete systemΓ compromise.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38485 βΌ
π Read
via "National Vulnerability Database".
Vulnerabilities exist in the BIOS implementation of Aruba 9200 and 9000 Series Controllers and Gateways that couldΓ allow an attacker to execute arbitrary code early in the bootΓ sequence. An attacker could exploit this vulnerability toΓ gain access to and change underlying sensitive informationΓ in the affected controller leading to complete systemΓ compromise.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10132 βΌ
π Read
via "National Vulnerability Database".
SearchBlox before Version 9.1 is vulnerable to cross-origin resource sharing misconfiguration.π Read
via "National Vulnerability Database".