‼ CVE-2023-38507 ‼
📖 Read
via "National Vulnerability Database".
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-40167 ‼
📖 Read
via "National Vulnerability Database".
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37281 ‼
📖 Read
via "National Vulnerability Database".
Contiki-NG is an operating system for internet-of-things devices. In versions 4.9 and prior, when processing the various IPv6 header fields during IPHC header decompression, Contiki-NG confirms the received packet buffer contains enough data as needed for that field. But no similar check is done before decompressing the IPv6 address. Therefore, up to 16 bytes can be read out of bounds on the line with the statement `memcpy(&ipaddr->u8[16 - postcount], iphc_ptr, postcount);`. The value of `postcount` depends on the address compression used in the received packet and can be controlled by the attacker. As a result, an attacker can inject a packet that causes an out-of-bound read. As of time of publication, a patched version is not available. As a workaround, one can apply the changes in Contiki-NG pull request #2509 to patch the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36160 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Qubo Smart Plug10A version HSP02_01_01_14_SYSTEM-10 A, allows local attackers to gain sensitive information and other unspecified impact via UART console.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39612 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39777 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38040 ‼
📖 Read
via "National Vulnerability Database".
A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions..📖 Read
via "National Vulnerability Database".
📢 Are you ready for NIS2? 📢
📖 Read
via "ITPro".
Find out what you should be doing to prepare for the EU’s latest data protection regulation and UK equivalent with our free webinar 📖 Read
via "ITPro".
ITPro
Are you ready for NIS2?
Find out what you should be doing to prepare for the EU’s latest data protection regulation and UK equivalent with our free webinar
👍1
🕴 Evaluating New Partners and Vendors From an Identity Security Perspective 🕴
📖 Read
via "Dark Reading".
Before working with new vendors, it's important to understand the potential risks they may pose to your digital environments.📖 Read
via "Dark Reading".
Dark Reading
Evaluating New Partners and Vendors From an Identity Security Perspective
Before working with new vendors, it's important to understand the potential risks they may pose to your digital environments.
🕴 AI in Software Development: The Good, the Bad, and the Dangerous 🕴
📖 Read
via "Dark Reading".
Just like with using open source, organizations need to be diligent about testing AI components and understanding where and how it is used in their software.📖 Read
via "Dark Reading".
Dark Reading
AI in Software Development: The Good, the Bad, and the Dangerous
Just like with using open source, organizations need to be diligent about testing AI components and understanding where and how it is used in their software.
‼ CVE-2023-5033 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in OpenRapid RapidCMS 1.3.1. This affects an unknown part of the file /admin/category/cate-edit-run.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239877 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42523 ‼
📖 Read
via "National Vulnerability Database".
Certain WithSecure products allow a remote crash of a scanning engine via unpacking of a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42522 ‼
📖 Read
via "National Vulnerability Database".
Certain WithSecure products allow a remote crash of a scanning engine via processing of an import struct in a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36766 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-5036 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43114 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42525 ‼
📖 Read
via "National Vulnerability Database".
Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43115 ‼
📖 Read
via "National Vulnerability Database".
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-5034 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in SourceCodester My Food Recipe 1.0. This vulnerability affects unknown code of the file index.php of the component Image Upload Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239878 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42520 ‼
📖 Read
via "National Vulnerability Database".
Certain WithSecure products allow a remote crash of a scanning engine via unpacking of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42521 ‼
📖 Read
via "National Vulnerability Database".
Certain WithSecure products allow a remote crash of a scanning engine via processing of a compressed file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, Linux Security 64 12.0 , Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 1.0.35-1.📖 Read
via "National Vulnerability Database".