‼ CVE-2023-37759 ‼
📖 Read
via "National Vulnerability Database".
Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33834 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in iscflashx64.sys 3.9.3.0 in Insyde H2OFFT 6.20.00. When handling IOCTL 0x22229a, the input used to allocate a buffer and copy memory is mishandled. This could cause memory corruption or a system crash.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41615 ‼
📖 Read
via "National Vulnerability Database".
Zoo Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities in the Admin sign-in page via the username and password fields.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27715 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36184 ‼
📖 Read
via "National Vulnerability Database".
CMysten Labs Sui blockchain v1.2.0 was discovered to contain a stack overflow via the component /spec/openrpc.json.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39620 ‼
📖 Read
via "National Vulnerability Database".
An Issue in Buffalo America, Inc. TeraStation NAS TS5410R v.5.00 thru v.0.07 allows a remote attacker to obtain sensitive information via the guest account function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4777 ‼
📖 Read
via "National Vulnerability Database".
An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. 📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32470 ‼
📖 Read
via "National Vulnerability Database".
Dell Digital Delivery versions prior to 5.0.82.0 contain an Insecure Operation on Windows Junction / Mount Point vulnerability. A local malicious user could potentially exploit this vulnerability to create arbitrary folder leading to permanent Denial of Service (DOS).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-34041 ‼
📖 Read
via "National Vulnerability Database".
Cloud foundry routing release versions prior to 0.278.0 are vulnerable to abuse of HTTP Hop-by-Hop Headers. An unauthenticated attacker can use this vulnerability for headers like B3 or X-B3-SpanID to affect the identification value recorded in the logs in foundations.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41775 ‼
📖 Read
via "National Vulnerability Database".
Improper access control vulnerability in 'direct' Desktop App for macOS ver 2.6.0 and earlier allows a local attacker to bypass access restriction and to use camrea, microphone, etc. of the device where the product is installed without the user's consent.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39584 ‼
📖 Read
via "National Vulnerability Database".
Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4807 ‼
📖 Read
via "National Vulnerability Database".
Issue summary: The POLY1305 MAC (message authentication code) implementationcontains a bug that might corrupt the internal state of applications on theWindows 64 platform when running on newer X86_64 processors supporting theAVX512-IFMA instructions.Impact summary: If in an application that uses the OpenSSL library an attackercan influence whether the POLY1305 MAC algorithm is used, the applicationstate might be corrupted with various application dependent consequences.The POLY1305 MAC (message authentication code) implementation in OpenSSL doesnot save the contents of non-volatile XMM registers on Windows 64 platformwhen calculating the MAC of data larger than 64 bytes. Before returning tothe caller all the XMM registers are set to zero rather than restoring theirprevious content. The vulnerable code is used only on newer x86_64 processorssupporting the AVX512-IFMA instructions.The consequences of this kind of internal application state corruption canbe various - from no consequences, if the calling application does notdepend on the contents of non-volatile XMM registers at all, to the worstconsequences, where the attacker could get complete control of the applicationprocess. However given the contents of the registers are just zeroized sothe attacker cannot put arbitrary values inside, the most likely consequence,if any, would be an incorrect result of some application dependentcalculations or a crash leading to a denial of service.The POLY1305 MAC algorithm is most frequently used as part of theCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)algorithm. The most common usage of this AEAD cipher is with TLS protocolversions 1.2 and 1.3 and a malicious client can influence whether this AEADcipher is used by the server. This implies that server applications usingOpenSSL can be potentially impacted. However we are currently not aware ofany concrete application that would be affected by this issue therefore weconsider this a Low severity security issue.As a workaround the AVX512-IFMA instructions support can be disabled atruntime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000The FIPS provider is not affected by this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40924 ‼
📖 Read
via "National Vulnerability Database".
SolarView Compact < 6.00 is vulnerable to Directory Traversal.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39076 ‼
📖 Read
via "National Vulnerability Database".
Injecting random data into the USB memory area on a General Motors (GM) Chevrolet Equinox 2021 Software. 2021.03.26 (build version) vehicle causes a Denial of Service (DoS) in the in-car infotainment system.📖 Read
via "National Vulnerability Database".
🕴 3 Strategies to Defend Against Resurging Infostealers 🕴
📖 Read
via "Dark Reading".
Infostealer incidents have more than doubled recently, making it critical to bolster your defenses to mitigate this growing threat.📖 Read
via "Dark Reading".
Dark Reading
3 Strategies to Defend Against Resurging Infostealers
Infostealer incidents have more than doubled recently, making it critical to bolster your defenses to mitigate this growing threat.
🕴 Kenya Initiates Public Sector Digital Skills Training, No Mention of Cybersecurity 🕴
📖 Read
via "Dark Reading".
Training will cover cloud skills and working in a paperless environment, but any mention of a cybersecurity element is conspicuously lacking.📖 Read
via "Dark Reading".
Dark Reading
Kenya Initiates Public Sector Digital Skills Training, No Mention of Cybersecurity
Training will cover cloud skills and working in a paperless environment, but any mention of a cybersecurity element is conspicuously lacking.
🦿 Cisco: Booming identity market driven by leadership awareness 🦿
📖 Read
via "Tech Republic".
A new study by Cisco Investments with venture capital firms finds that most CISOs find complexity of tools, number of solutions and users, and even jargon a barrier to zero trust.📖 Read
via "Tech Republic".
TechRepublic
Cisco: Booming identity market driven by leadership awareness
A new study by Cisco Investments with venture capital firms finds that the complexity of most CISOs is a barrier to zero trust.
‼ CVE-2023-39320 ‼
📖 Read
via "National Vulnerability Database".
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4843 ‼
📖 Read
via "National Vulnerability Database".
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39319 ‼
📖 Read
via "National Vulnerability Database".
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39321 ‼
📖 Read
via "National Vulnerability Database".
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.📖 Read
via "National Vulnerability Database".