βΌ CVE-2023-4095 βΌ
π Read
via "National Vulnerability Database".
User enumeration vulnerability in Arconte ΓοΏ½urea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform.π Read
via "National Vulnerability Database".
π΄ Name That Toon: Somewhere in Sleepy Hollow π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: Somewhere in Sleepy Hollow
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
π΄ Qatar Cyber Chiefs Warn on Mozilla RCE Bugs π΄
π Read
via "Dark Reading".
The WebP vulnerability affects multiple browsers besides Firefox and Thunderbird, with active exploitation ongoing.π Read
via "Dark Reading".
Dark Reading
Qatar Cyber Chiefs Warn on Mozilla RCE Bugs
The WebP vulnerability affects multiple browsers besides Firefox and Thunderbird, with active exploitation ongoing.
βΌ CVE-2023-22513 βΌ
π Read
via "National Vulnerability Database".
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions. See the release notes ([https://confluence.atlassian.com/bitbucketserver/release-notes]). You can download the latest version of Bitbucket Data Center and Server from the download center ([https://www.atlassian.com/software/bitbucket/download-archives]). This vulnerability was discovered by a private user and reported via our Bug Bounty programπ Read
via "National Vulnerability Database".
βΌ CVE-2023-42451 βΌ
π Read
via "National Vulnerability Database".
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38353 βΌ
π Read
via "National Vulnerability Database".
MiniTool Power Data Recovery 11.5 contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32182 βΌ
π Read
via "National Vulnerability Database".
A Improper Link Resolution Before File Access ('Link Following') vulnerability in SUSE SUSE Linux Enterprise Desktop 15 SP5 postfix, SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 postfix, SUSE openSUSE Leap 15.5 postfix.This issue affects SUSE Linux Enterprise Desktop 15 SP5: before 3.7.3-150500.3.5.1; SUSE Linux Enterprise High Performance Computing 15 SP5: before 3.7.3-150500.3.5.1; openSUSE Leap 15.5 : before 3.7.3-150500.3.5.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-42793 βΌ
π Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possibleπ Read
via "National Vulnerability Database".
βΌ CVE-2023-42452 βΌ
π Read
via "National Vulnerability Database".
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the Γ’β¬ΕTranslateΓ’β¬οΏ½ button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38352 βΌ
π Read
via "National Vulnerability Database".
MiniTool Partition Wizard 12.8 contains an insecure update mechanism that allows attackers to achieve remote code execution through a man in the middle attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-42450 βΌ
π Read
via "National Vulnerability Database".
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38356 βΌ
π Read
via "National Vulnerability Database".
MiniTool Power Data Recovery 11.6 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38355 βΌ
π Read
via "National Vulnerability Database".
MiniTool Movie Maker 6.1.0 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38351 βΌ
π Read
via "National Vulnerability Database".
MiniTool Partition Wizard 12.8 contains an insecure installation mechanism that allows attackers to achieve remote code execution through a man in the middle attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38354 βΌ
π Read
via "National Vulnerability Database".
MiniTool Movie Maker 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43566 βΌ
π Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configurationπ Read
via "National Vulnerability Database".
π΄ MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents π΄
π Read
via "Dark Reading".
MGM and Caesars are putting new SEC incident disclosure regulations to a real-world test in the aftermath of twin cyberattacks on the casinos, as class-action lawsuits loom.π Read
via "Dark Reading".
Dark Reading
MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents
MGM and Caesars are putting new SEC incident disclosure regulations to a real-world test in the aftermath of twin cyberattacks on the casinos, as class-action lawsuits loom.
π΄ Trend Micro Patches Zero-Day Endpoint Vulnerability π΄
π Read
via "Dark Reading".
The critical vulnerability involves uninstalling third-party security products and has been used in cyberattacks.π Read
via "Dark Reading".
Dark Reading
Trend Micro Patches Zero-Day Endpoint Vulnerability
The critical vulnerability involves uninstalling third-party security products and has been used in cyberattacks.
π΄ China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign π΄
π Read
via "Dark Reading".
"SprySOCKS" melds features from multiple previously known badware and adds to the threat actor's growing malware arsenal, Trend Micro says.π Read
via "Dark Reading".
Dark Reading
China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign
"SprySOCKS" melds features from multiple previously known badware and adds to the threat actor's growing malware arsenal, Trend Micro says.
βΌ CVE-2023-2995 βΌ
π Read
via "National Vulnerability Database".
The Leyka WordPress plugin through 3.30.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)π Read
via "National Vulnerability Database".
βΌ CVE-2023-4376 βΌ
π Read
via "National Vulnerability Database".
The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)π Read
via "National Vulnerability Database".
π₯1