βΌ CVE-2023-44393 βΌ
π Read
via "National Vulnerability Database".
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41660 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in WPSynchro WP Synchro plugin <=Γ 1.9.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41670 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Palasthotel (in person: Edward Bock) Use Memcached plugin <=Γ 1.0.4 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39192 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41667 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Ulf Benjaminsson WP-dTree plugin <=Γ 4.4.5 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39194 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5460 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Delta Electronics WPLSoft up to 2.51 and classified as problematic. This issue affects some unknown processing of the component Modbus Data Packet Handler. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241583. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41668 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Leadster plugin <=Γ 1.1.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39189 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5459 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in Delta Electronics DVP32ES2 PLC 1.48 and classified as critical. This vulnerability affects unknown code of the component Password Transmission Handler. The manipulation leads to denial of service. The exploit has been disclosed to the public and may be used. VDB-241582 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41669 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in DAEXT Live News plugin <=Γ 1.06 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41672 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in RΓΒ©mi Leclercq Hide admin notices Γ’β¬β Admin Notification Center plugin <=Γ 2.3.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-39193 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3431 βΌ
π Read
via "National Vulnerability Database".
A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.π Read
via "National Vulnerability Database".
π΄ 'Looney Tunables' Linux Flaw Sees Snowballing Proof-of-Concept Exploits π΄
π Read
via "Dark Reading".
Following the publication of the critical Linux security vulnerability, security specialists released PoC exploits to test the implications of CVE-2023-4911.π Read
via "Dark Reading".
Dark Reading
'Looney Tunables' Linux Flaw Sees Snowballing Proof-of-Concept Exploits
Following the publication of the critical Linux security vulnerability, security specialists released PoC exploits to test the implications of CVE-2023-4911.
βοΈ Phishers Spoof USPS, 12 Other Natlβ Postal Services βοΈ
π Read
via "Krebs on Security".
Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here's a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries worldwide.π Read
via "Krebs on Security".
Krebs on Security
Phishers Spoof USPS, 12 Other Natlβ Postal Services
Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here's a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS,β¦
π΄ Hacktivists Enter Fray Following Hamas Strikes Against Israel π΄
π Read
via "Dark Reading".
Killnet, Anonymous Sudan, along with other groups, pick up up their Middle East activities as war breaks out.π Read
via "Dark Reading".
Dark Reading
Hacktivists Enter Fray Following Hamas Strikes Against Israel
Killnet, Anonymous Sudan, along with other groups, pick up up their Middle East activities as war breaks out.
βΌ CVE-2022-3728 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44811 βΌ
π Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability in MooSocial v.3.1.8 allows a remote attacker to execute arbitrary code and obtain sensitive information via the admin Password Change Function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44813 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48183 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.π Read
via "National Vulnerability Database".