βΌ CVE-2023-4933 βΌ
π Read
via "National Vulnerability Database".
The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45150 βΌ
π Read
via "National Vulnerability Database".
Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended that the Nextcloud Calendar app is upgraded to 4.4.4. The only workaround for users unable to upgrade is to disable the calendar app.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4971 βΌ
π Read
via "National Vulnerability Database".
The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5003 βΌ
π Read
via "National Vulnerability Database".
The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5089 βΌ
π Read
via "National Vulnerability Database".
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.π Read
via "National Vulnerability Database".
π΄ Security Must Empower AI Developers Now π΄
π Read
via "Dark Reading".
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.π Read
via "Dark Reading".
Dark Reading
Security Must Empower AI Developers Now
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.
βΌ CVE-2023-45131 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45807 βΌ
π Read
via "National Vulnerability Database".
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users donΓ’β¬β’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43814 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts private polls where the results were intended to only be viewable by authorized users. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. There is no workaround for this issue apart from upgrading to the fixed version.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44394 βΌ
π Read
via "National Vulnerability Database".
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been included in release `2.258`. Users are advised to upgrade. Users unable to upgrade should disable wiki integration ( `$g_wiki_enable = OFF;`).π Read
via "National Vulnerability Database".
βΌ CVE-2023-44388 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. It is possible to temporarily work around this problem by reducing the `client_max_body_size nginx directive`. `client_max_body_size` will limit the size of uploads that can be uploaded directly to the server.π Read
via "National Vulnerability Database".
βΌ CVE-2023-40374 βΌ
π Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted query statement. IBM X-Force ID: 263575.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38728 βΌ
π Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted XML query statement. IBM X-Force ID: 262258.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45540 βΌ
π Read
via "National Vulnerability Database".
An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38740 βΌ
π Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX, and Windows (includes Db2 Connect Server) 11.5 is vulnerable to a denial of service with a specially crafted SQL statement. IBM X-Force ID: 262613.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30991 βΌ
π Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to denial of service with a specially crafted query. IBM X-Force ID: 254037.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44391 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when `hide_user_profiles_from_public` is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43659 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43658 βΌ
π Read
via "National Vulnerability Database".
dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.π Read
via "National Vulnerability Database".
π΄ 5 Ways Hospitals Can Help Improve Their IoT Security π΄
π Read
via "Dark Reading".
HIPAA compliance does not equal security, as continuing attacks on healthcare organizations show. Medical devices need to be secured.π Read
via "Dark Reading".
Dark Reading
5 Ways Hospitals Can Help Improve Their IoT Security
HIPAA compliance does not equal security, as continuing attacks on healthcare organizations show. Medical devices need to be secured.
βΌ CVE-2012-10016 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in Halulu simple-download-button-shortcode Plugin 1.0 on WordPress. Affected is an unknown function of the file simple-download-button_dl.php of the component Download Handler. The manipulation of the argument file leads to information disclosure. It is possible to launch the attack remotely. Upgrading to version 1.1 is able to address this issue. The patch is identified as e648a8706818297cf02a665ae0bae1c069dea5f1. It is recommended to upgrade the affected component. VDB-242190 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".