βΌ CVE-2023-42768 βΌ
π Read
via "National Vulnerability Database".
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.Γ Γ Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45219 βΌ
π Read
via "National Vulnerability Database".
Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.Γ Γ Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2023-40537 βΌ
π Read
via "National Vulnerability Database".
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.Γ Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2023-41373 βΌ
π Read
via "National Vulnerability Database".
A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary.Γ Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
π΄ Old-School Attacks Are Still a Danger, Despite Newer Techniques π΄
π Read
via "Dark Reading".
The cold, hard truth? Cybercriminals are still perpetuating plenty of unsophisticated attacks for a simple reason: They work.π Read
via "Dark Reading".
Dark Reading
Old-School Attacks Are Still a Danger, Despite Newer Techniques
The cold, hard truth? Cybercriminals are still perpetuating plenty of unsophisticated attacks for a simple reason: They work.
π¦Ώ Australia, New Zealand Enterprises Spend Big on Security β But Will It Be Enough? π¦Ώ
π Read
via "Tech Republic".
Australian and New Zealand businesses will increase spending on cybersecurity by double digitsβ¦ but they might not be able to spend their way to safety.π Read
via "Tech Republic".
TechRepublic
Australia, New Zealand Enterprises Spend Big on Security β But Will It Be Enough?
Australian and New Zealand businesses will increase spending on cybersecurity, but they might not be able to spend their way to safety.
βΌ CVE-2023-5490 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in Beijing Baichuo Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. This vulnerability affects unknown code of the file /useratte/userattestation.php. The manipulation of the argument web_img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-241642 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30801 βΌ
π Read
via "National Vulnerability Database".
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44470 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Kvvaradha Kv TinyMCE Editor Add Fonts plugin <=Γ 1.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44476 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Andres Felipe Perea V. CopyRightPro plugin <=Γ 2.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5499 βΌ
π Read
via "National Vulnerability Database".
Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week's logs stored in the 'log2' directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30802 βΌ
π Read
via "National Vulnerability Database".
The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to a source code disclosure vulnerability. A remote and unauthenticated attacker can obtain PHP source code by sending an HTTP request with an invalid Content-Length field.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30804 βΌ
π Read
via "National Vulnerability Database".
The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authenticated file disclosure vulnerability. A remote and authenticated attacker can read arbitrary system files using the svpn_html/loadfile.php endpoint. This issue is exploitable by a remote and unauthenticated attacker when paired with CVE-2023-30803.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44475 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <=Γ 2.0.9 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44487 βΌ
π Read
via "National Vulnerability Database".
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5491 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in Beijing Baichuo Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. This issue affects some unknown processing of the file /sysmanage/updatelib.php. The manipulation of the argument file_upload leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241643. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44241 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Keap Keap Landing Pages plugin <=Γ 1.4.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30806 βΌ
π Read
via "National Vulnerability Database".
The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5489 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in Beijing Baichuo Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. This affects an unknown part of the file /Tool/uploadfile.php. The manipulation of the argument file_upload leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-241641 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30803 βΌ
π Read
via "National Vulnerability Database".
The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44994 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Bainternet ShortCodes UI plugin <=Γ 1.9.8 versions.π Read
via "National Vulnerability Database".