‼ CVE-2023-41331 ‼
📖 Read
via "National Vulnerability Database".
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefullycrafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4904 ‼
📖 Read
via "National Vulnerability Database".
Insufficient policy enforcement in Downloads in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to bypass Enterprise policy restrictions via a crafted download. (Chromium security severity: Medium)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4908 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in Picture in Picture in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39208 ‼
📖 Read
via "National Vulnerability Database".
Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4909 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in Interstitials in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3712 ‼
📖 Read
via "National Vulnerability Database".
Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3710 ‼
📖 Read
via "National Vulnerability Database".
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41885 ‼
📖 Read
via "National Vulnerability Database".
Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 and prior, the implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on its own does not also enforce strong passwords, these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform. The impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it requires minimal skills to pull off, especially given the underlying login functionality for Piccolo based sites is open source. This issue has been patched in version 0.121.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39215 ‼
📖 Read
via "National Vulnerability Database".
Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4905 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3711 ‼
📖 Read
via "National Vulnerability Database".
Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4900 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate a permission prompt via a crafted HTML page. (Chromium security severity: Medium)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39201 ‼
📖 Read
via "National Vulnerability Database".
Untrusted search path in CleanZoom before file date 07/24/2023 may allow a privileged user to conduct an escalation of privilege via local access.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4902 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in Input in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-4906 ‼
📖 Read
via "National Vulnerability Database".
Insufficient policy enforcement in Autofill in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. (Chromium security severity: Low)📖 Read
via "National Vulnerability Database".
🕴 Microsoft Patches a Pair of Actively Exploited Zero-Days 🕴
📖 Read
via "Dark Reading".
Five critical bugs, zero-days exploited in the wild, Exchange Server, and more headline Microsoft's September 2023 Patch Tuesday release. Here's what to patch now.📖 Read
via "Dark Reading".
Dark Reading
Microsoft Patches a Pair of Actively Exploited Zero-Days
Five critical bugs, zero-days exploited in the wild, Exchange Server, and more headline Microsoft's September 2023 Patch Tuesday release. Here's what to patch now.
♟️ Adobe, Apple, Google & Microsoft Patch 0-Day Bugs ♟️
📖 Read
via "Krebs on Security".
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.📖 Read
via "Krebs on Security".
Krebs on Security
Adobe, Apple, Google & Microsoft Patch 0-Day Bugs
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have…
‼ CVE-2023-4813 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.📖 Read
via "National Vulnerability Database".
❤1
‼ CVE-2023-41423 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability in WP Githuber MD plugin v.1.16.2 allows a remote attacker to execute arbitrary code via a crafted payload to the new article function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39073 ‼
📖 Read
via "National Vulnerability Database".
An issue in SNMP Web Pro v.1.1 allows a remote attacker to execute arbitrary code and obtain senstive information via a crafted request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-47637 ‼
📖 Read
via "National Vulnerability Database".
The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges.📖 Read
via "National Vulnerability Database".
👍1