‼ CVE-2023-39320 ‼
📖 Read
via "National Vulnerability Database".
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4843 ‼
📖 Read
via "National Vulnerability Database".
Pega Platform versions 7.1 to 8.8.3 are affected by an HTML Injection issue with a name field utilized in Visual Business Director, however this field can only be modified by an authenticated administrative user.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39319 ‼
📖 Read
via "National Vulnerability Database".
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39321 ‼
📖 Read
via "National Vulnerability Database".
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39322 ‼
📖 Read
via "National Vulnerability Database".
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39318 ‼
📖 Read
via "National Vulnerability Database".
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.📖 Read
via "National Vulnerability Database".
🕴 'Evil Telegram' Spyware Campaign Infects 60K+ Mobile Users 🕴
📖 Read
via "Dark Reading".
Legitimate-seeming Telegram "mods" available in the official Google Play store for the encrypted messaging app signal the rise of a new enterprise threat.📖 Read
via "Dark Reading".
Dark Reading
'Evil Telegram' Spyware Campaign Infects 60K+ Mobile Users
Legitimate-seeming Telegram "mods" available in the official Google Play store for the encrypted messaging app signal the rise of a new enterprise threat.
🕴 Critical Security Bug Opens Cisco BroadWorks to Complete Takeover 🕴
📖 Read
via "Dark Reading".
Cyberattackers could exploit CVE-2023-20238 to carry out a variety of nefarious deeds, from data theft and code execution to phishing, fraud, and DoS.📖 Read
via "Dark Reading".
Dark Reading
Critical Security Bug Opens Cisco BroadWorks to Complete Takeover
Cyberattackers could exploit CVE-2023-20238 to carry out a variety of nefarious deeds, from data theft and code execution to phishing, fraud, and DoS.
🦿 Australian Data Breach Costs are Rising — What Can IT Leaders Do? 🦿
📖 Read
via "Tech Republic".
Australian data breach costs have jumped over the last five years to $2.57 million USD, according to IBM. Prioritizing DevSecOps and incident response planning can help IT leaders minimize the financial risk.📖 Read
via "Tech Republic".
TechRepublic
Australian Data Breach Costs are Rising — What Can IT Leaders Do?
Prioritizing DevSecOps and incident response planning can help Australian IT leaders minimize the financial risk of a data breach.
‼ CVE-2023-41578 ‼
📖 Read
via "National Vulnerability Database".
Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38736 ‼
📖 Read
via "National Vulnerability Database".
IBM QRadar WinCollect Agent 10.0 through 10.1.6, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack that a normal user could utilize to gain SYSTEM permissions. IBM X-Force ID: 262542.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-28010 ‼
📖 Read
via "National Vulnerability Database".
In some configuration scenarios, the Domino server host name can be exposed. This information could be used to target future attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41575 ‼
📖 Read
via "National Vulnerability Database".
Multiple stored cross-site scripting (XSS) vulnerabilities in /bbdms/sign-up.php of Blood Bank & Donor Management v2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Full Name, Message, or Address parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42268 ‼
📖 Read
via "National Vulnerability Database".
Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vulnerability via the component /jeecg-boot/jmreport/show.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41338 ‼
📖 Read
via "National Vulnerability Database".
Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4782 ‼
📖 Read
via "National Vulnerability Database".
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39712 ‼
📖 Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add New Put section.📖 Read
via "National Vulnerability Database".
❤1
‼ CVE-2023-24965 ‼
📖 Read
via "National Vulnerability Database".
IBM Aspera Faspex 5.0.5 does not restrict or incorrectly restricts access to a resource from an unauthorized actor. IBM X-Force ID: 246713.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-32332 ‼
📖 Read
via "National Vulnerability Database".
IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 255072.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33164 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30995 ‼
📖 Read
via "National Vulnerability Database".
IBM Aspera Faspex 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268.📖 Read
via "National Vulnerability Database".