βΌ CVE-2022-47560 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPPORTED WHEN ASSIGNED ** The lack of web request control on ekorCCP and ekorRCI devices allows a potential attacker to create custom requests to execute malicious actions when a user is logged in.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41375 βΌ
π Read
via "National Vulnerability Database".
Use after free vulnerability exists in Kostac PLC Programming Software Version 1.6.11.0. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43617 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22644 βΌ
π Read
via "National Vulnerability Database".
An Innsertion of Sensitive Information into Log File vulnerability in SUSE SUSE Manager Server Module 4.2 spacewalk-java, SUSE SUSE Manager Server Module 4.3 spacewalk-java causes sensitive information to be logged.This issue affects SUSE Manager Server Module 4.2: before 4.2.50-150300.3.66.5; SUSE Manager Server Module 4.3: before 4.3.58-150400.3.46.4.π Read
via "National Vulnerability Database".
π2
π¦Ώ βHaywireβ Australian IT Skills Market Prompts Logicalis to Add Talent as a Service π¦Ώ
π Read
via "Tech Republic".
IT solutions and managed services provider Logicalis is planning to help skills-deprived Australian CIOs and IT managers get projects done with a new plug-and-play Talent Services offering.π Read
via "Tech Republic".
TechRepublic
'Haywire' Australian IT Skills Market Prompts Logicalis to Add Talent as a Service
IT solutions and MSP Logicalis plans to help skills-deprived Australian CIOs and IT managers with a new plug-and-play Talent Services offering.
βΌ CVE-2023-5084 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45447 βΌ
π Read
via "National Vulnerability Database".
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The Γ’β¬ΕfΓ’β¬οΏ½ parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4853 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34047 βΌ
π Read
via "National Vulnerability Database".
A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptionsΓ instance when registering batch loader functions through DefaultBatchLoaderRegistry.π Read
via "National Vulnerability Database".
π΄ Pro-Iranian Attackers Target Israeli Railroad Network π΄
π Read
via "Dark Reading".
The group known as "Cyber Avengers" has targeted other Israeli services in the past and often publishes technical details of its hits.π Read
via "Dark Reading".
Dark Reading
Pro-Iranian Attackers Claim to Target Israeli Railroad Network
The veracity of claims by the group known as "Cyber Avengers" has been called into question, as it continues to take credit for hits on various Israeli services.
π΄ Changing Role of the CISO: A Holistic Approach Drives the Future π΄
π Read
via "Dark Reading".
The CISO's role has grown far beyond supervising Patch Tuesday to focus on prevention and response and to cover people, processes, and technology. π Read
via "Dark Reading".
Dark Reading
Changing Role of the CISO: A Holistic Approach Drives the Future
The CISO's role has grown far beyond supervising Patch Tuesday to focus on prevention and response and to cover people, processes, and technology.
π΄ 'Culturestreak' Malware Lurks Inside GitLab Python Package π΄
π Read
via "Dark Reading".
The GitLab code hijacks computer resources to mine Dero cryptocurrency as part of a larger cryptomining operation.π Read
via "Dark Reading".
Dark Reading
'Culturestreak' Malware Lurks Inside GitLab Python Package
The GitLab code hijacks computer resources to mine Dero cryptocurrency as part of a larger cryptomining operation.
βΌ CVE-2023-4236 βΌ
π Read
via "National Vulnerability Database".
A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0829 βΌ
π Read
via "National Vulnerability Database".
Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administrator visits a certain page in Plesk related to the malicious subscription.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-45448 βΌ
π Read
via "National Vulnerability Database".
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5042 βΌ
π Read
via "National Vulnerability Database".
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-43477 βΌ
π Read
via "National Vulnerability Database".
The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly sanitized before being used in a system call, which could allow an authenticated attacker to achieve command injection as root on the device.Γ π Read
via "National Vulnerability Database".
βΌ CVE-2023-3341 βΌ
π Read
via "National Vulnerability Database".
The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.π Read
via "National Vulnerability Database".
π΄ International Criminal Court Suffers Cyberattack π΄
π Read
via "Dark Reading".
The ICC did not reveal details on the cyber breach. π Read
via "Dark Reading".
Dark Reading
International Criminal Court Suffers Cyberattack
The ICC did not reveal details on the cyber breach.
βΌ CVE-2023-43496 βΌ
π Read
via "National Vulnerability Database".
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2508 βΌ
π Read
via "National Vulnerability Database".
The `PaperCutNG Mobility Print` version 1.0.3512 application allows anunauthenticated attacker to perform a CSRF attack on an instanceadministrator to configure the clients host (in the "configure printerdiscovery" section). This is possible because the application has noprotections against CSRF attacks, like Anti-CSRF tokens, header originvalidation, samesite cookies, etc.π Read
via "National Vulnerability Database".