βΌ CVE-2023-5631 βΌ
π Read
via "National Vulnerability Database".
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attackerto load arbitrary JavaScript code.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45602 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Shopfiles Ltd Ebook Store plugin <=Γ 5.785 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45632 βΌ
π Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado SpiderVPlayer plugin <=Γ 1.5.22 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45628 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in QROkes QR Twitter Widget plugin <=Γ 0.2.3 versions.π Read
via "National Vulnerability Database".
π΄ North Korea's Kimsuky Doubles Down on Remote Desktop Control π΄
π Read
via "Dark Reading".
The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.π Read
via "Dark Reading".
Dark Reading
North Korea's Kimsuky Doubles Down on Remote Desktop Control
The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.
π¦Ώ ExpressVPN Review (2023): Pricing, Features, Pros, & Cons π¦Ώ
π Read
via "Tech Republic".
Editor has the option to alter SEO's meta description or write their own DEK to draw readers into the article most effectively. Alternatively, editor can assign DEK writing to the assigned writer. Consider the top picks or major editorial call-outs for inclusion.π Read
via "Tech Republic".
TechRepublic
ExpressVPN Review: Pricing, Features, Pros, & Cons
How much does ExpressVPN cost, and is it trustworthy? Read our ExpressVPN review to learn about pricing, security, performance, and more.
π΄ D-Link Confirms Breach, Rebuts Hacker's Claims About Scope π΄
π Read
via "Dark Reading".
The router specialist says the attacker's claims to have heisted millions and millions of records are significantly overblown. But an incident did happen, stemming from a successful phish.π Read
via "Dark Reading".
Dark Reading
D-Link Confirms Breach, Rebuts Hacker's Claims About Scope
The router specialist says the attacker's claims to have heisted millions and millions of records are significantly overblown. But an incident did happen, stemming from a successful phish.
π΄ What CISOs Should Exclude From SEC Cybersecurity Filings π΄
π Read
via "Dark Reading".
Should CISOs include only known information in the SEC filings for a material security incident, or is there room to include details that may change during the investigation?π Read
via "Dark Reading".
Dark Reading
What CISOs Should Exclude From SEC Cybersecurity Filings
Should CISOs include only known information in the SEC filings for a material security incident, or is there room to include details that may change during the investigation?
βΌ CVE-2023-35656 βΌ
π Read
via "National Vulnerability Database".
In multiple functions of protocolembmsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45813 βΌ
π Read
via "National Vulnerability Database".
Torbot is an open source tor network intelligence tool. In affected versions the `torbot.modules.validators.validate_link function` uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause an application crash using a well-crafted argument. An attacker can use a well-crafted URL argument to exploit the vulnerability in the regular expression and cause a Denial of Service on the system. The validators file has been removed in version 4.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4601 βΌ
π Read
via "National Vulnerability Database".
A stack-based buffer overflow vulnerability exists in NI System Configuration that could result in information disclosure and/or arbitrary code execution. Successful exploitation requires that an attacker can provide a specially crafted response. This affects NI System Configuration 2023 Q3 and all previous versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43803 βΌ
π Read
via "National Vulnerability Database".
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-35663 βΌ
π Read
via "National Vulnerability Database".
In Init of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43802 βΌ
π Read
via "National Vulnerability Database".
Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45145 βΌ
π Read
via "National Vulnerability Database".
Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.π Read
via "National Vulnerability Database".
βΌ CVE-2023-34441 βΌ
π Read
via "National Vulnerability Database".
Baker Hughes Γ’β¬β Bently Nevada 3500 System TDI Firmware version 5.05 containsΓ a cleartext transmission vulnerability which could allow an attacker to steal the authentication secret from communication traffic to the device and reuse it for arbitrary requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37503 βΌ
π Read
via "National Vulnerability Database".
HCL Compass is vulnerable to insecure password requirements. An attacker could easily guess the password and gain access to user accounts.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5336 βΌ
π Read
via "National Vulnerability Database".
The iPanorama 360 Γ’β¬β WordPress Virtual Tour Builder plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4645 βΌ
π Read
via "National Vulnerability Database".
The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai_ajax function. This can allow unauthenticated attackers to extract sensitive data such as post titles and slugs (including those of protected posts along with their passwords), usernames, available roles, the plugin license key provided the remote debugging option is enabled. In the default state it is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37504 βΌ
π Read
via "National Vulnerability Database".
HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. Γ If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-36857 βΌ
π Read
via "National Vulnerability Database".
Baker Hughes Γ’β¬β Bently Nevada 3500 System TDI Firmware version 5.05 containsΓ a replay vulnerability which could allow an attacker to replay older captured packets of traffic to the device to gain access.π Read
via "National Vulnerability Database".