‼ CVE-2023-30908 ‼
📖 Read
via "National Vulnerability Database".
Potential security vulnerabilities have been identified in Hewlett Packard Enterprise OneView Software. These vulnerabilities could be remotely exploited to allow authentication bypass, disclosure of sensitive information, and denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40584 ‼
📖 Read
via "National Vulnerability Database".
Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. A patch for this vulnerability has been released in versions 2.6.15, 2.7.14, and 2.8.3. Users are advised to upgrade. The only way to completely resolve the issue is to upgrade, however users unable to upgrade should configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts.📖 Read
via "National Vulnerability Database".
🕴 Software Supply Chain Strategies to Parry Dependency Confusion Attacks 🕴
📖 Read
via "Dark Reading".
Bad actors practice to deceive package managers with a tangled web of methods. Here's how to hoist them by their own petard.📖 Read
via "Dark Reading".
Dark Reading
Software Supply Chain Strategies to Parry Dependency Confusion Attacks
Bad actors practice to deceive package managers with a tangled web of methods. Here's how to hoist them by their own petard.
‼ CVE-2023-40353 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Exynos Mobile Processor 980 and 2100. An integer overflow at a buffer index can prevent the execution of requested services via a crafted application.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41594 ‼
📖 Read
via "National Vulnerability Database".
Dairy Farm Shop Management System Using PHP and MySQL v1.1 was discovered to contain multiple SQL injection vulnerabilities in the Login function via the Username and Password parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40271 ‼
📖 Read
via "National Vulnerability Database".
In Trusted Firmware-M through TF-Mv1.8.0, for platforms that integrate the CryptoCell accelerator, when the CryptoCell PSA Driver software Interface is selected, and the Authenticated Encryption with Associated Data Chacha20-Poly1305 algorithm is used, with the single-part verification function (defined during the build-time configuration phase) implemented with a dedicated function (i.e., not relying on usage of multipart functions), the buffer comparison during the verification of the authentication tag does not happen on the full 16 bytes but just on the first 4 bytes, thus leading to the possibility that unauthenticated payloads might be identified as authentic. This affects TF-Mv1.6.0, TF-Mv1.6.1, TF-Mv1.7.0, and TF-Mv1.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40953 ‼
📖 Read
via "National Vulnerability Database".
icms 7.0.16 is vulnerable to Cross Site Request Forgery (CSRF).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37368 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor, and Modem (Exynos Mobile Processor, Automotive Processor, and Modem - Exynos 9810, Exynos 9610, Exynos 9820, Exynos 980, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 9110, Exynos W920, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123). In the Shannon MM Task, Missing validation of a NULL pointer can cause abnormal termination via a malformed NR MM packet.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27599 ‼
📖 Read
via "National Vulnerability Database".
An insertion of sensitive information into Log file vulnerability has been reported to affect product. If exploited, the vulnerability possibly provides local authenticated administrators with an additional, less-protected path to acquiring the information via unspecified vectors.We have already fixed the vulnerability in the following version:Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Pro Client 2.3.0.0420 and later📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45811 ‼
📖 Read
via "National Vulnerability Database".
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.📖 Read
via "National Vulnerability Database".
‼ CVE-2014-5329 ‼
📖 Read
via "National Vulnerability Database".
GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation.8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests (CVE-2011-3192), which may lead to a denial-of-service (DoS) condition.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37367 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor, and Modem (Exynos 9820, Exynos 980, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. In the NAS Task, an improperly implemented security check for standard can disallow desired services for a while via consecutive NAS messages.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37377 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Samsung Exynos Mobile Processor and Wearable Processor (Exynos 980, Exynos 850, Exynos 2100, and Exynos W920). Improper handling of length parameter inconsistency can cause incorrect packet filtering.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37759 ‼
📖 Read
via "National Vulnerability Database".
Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33834 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in iscflashx64.sys 3.9.3.0 in Insyde H2OFFT 6.20.00. When handling IOCTL 0x22229a, the input used to allocate a buffer and copy memory is mishandled. This could cause memory corruption or a system crash.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41615 ‼
📖 Read
via "National Vulnerability Database".
Zoo Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities in the Admin sign-in page via the username and password fields.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27715 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36184 ‼
📖 Read
via "National Vulnerability Database".
CMysten Labs Sui blockchain v1.2.0 was discovered to contain a stack overflow via the component /spec/openrpc.json.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39620 ‼
📖 Read
via "National Vulnerability Database".
An Issue in Buffalo America, Inc. TeraStation NAS TS5410R v.5.00 thru v.0.07 allows a remote attacker to obtain sensitive information via the guest account function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4777 ‼
📖 Read
via "National Vulnerability Database".
An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. 📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32470 ‼
📖 Read
via "National Vulnerability Database".
Dell Digital Delivery versions prior to 5.0.82.0 contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability to create arbitrary folder leading to permanent Denial of Service (DOS).📖 Read
via "National Vulnerability Database".