‼ CVE-2023-45665 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** This CVE is a duplicate of another CVE.📖 Read
via "National Vulnerability Database".
🕴 Europol Strike Wounds Ragnar Locker Ransomware Group 🕴
📖 Read
via "Dark Reading".
Several countries in Europe as well as the United States and Japan were involved in the operation, which is aimed at defanging one of the bigger names in ransomware.📖 Read
via "Dark Reading".
Dark Reading
Europol Strike Wounds Ragnar Locker Ransomware Group
Several countries in Europe as well as the United States and Japan were involved in the operation, which is aimed at defanging one of the bigger names in ransomware.
‼ CVE-2023-40153 ‼
📖 Read
via "National Vulnerability Database".
The affected product is vulnerable to a cross-site scripting vulnerability, which could allow an attacker to access the web application to introduce arbitrary Java Script by injecting an XSS payload into the 'hostname' parameter of the vulnerable software.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41088 ‼
📖 Read
via "National Vulnerability Database".
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker with access to the network, where clients have access to the DexGate server, could capture traffic. The attacker can later us the information within it to access the application.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-45381 ‼
📖 Read
via "National Vulnerability Database".
In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().`📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42666 ‼
📖 Read
via "National Vulnerability Database".
The affected product is vulnerable to an exposure of sensitive information to an unauthorized actor vulnerability, which may allow an attacker to create malicious requests for obtaining the information of the version about the web server used.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-45809 ‼
📖 Read
via "National Vulnerability Database".
Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38128 ‼
📖 Read
via "National Vulnerability Database".
An out-of-bounds write vulnerability exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause a type confusion, which can lead to memory corruption and eventually arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-43986 ‼
📖 Read
via "National Vulnerability Database".
DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-45992 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability in Ruckus Wireless (CommScope) Ruckus CloudPath v.5.12.54414 allows a remote attacker to escalate privileges via a crafted script to the macaddress parameter in the onboarding portal.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-42435 ‼
📖 Read
via "National Vulnerability Database".
The affected product is vulnerable to a cross-site request forgery vulnerability, which may allow an attacker to perform actions with the permissions of a victim user.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-5059 ‼
📖 Read
via "National Vulnerability Database".
Santesoft Sante FFT Imaging lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-45820 ‼
📖 Read
via "National Vulnerability Database".
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has been addressed in version 10.6.2. Users are advised to upgrade. Users unable to upgrade should avoid using websockets.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-45825 ‼
📖 Read
via "National Vulnerability Database".
ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform. Since ydb-go-sdk v3.48.6 if you use a custom credentials object (implementation of interface Credentials it may leak into logs. This happens because this object could be serialized into an error message using `fmt.Errorf("something went wrong (credentials: %q)", credentials)` during connection to the YDB server. If such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database. ydb-go-sdk contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3. Users are advised to upgrade. Users unable to upgrade should implement the `fmt.Stringer` interface in your custom credentials type with explicit stringify of object state.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-41089 ‼
📖 Read
via "National Vulnerability Database".
The affected product is vulnerable to an improper authentication vulnerability, which may allow an attacker to impersonate a legitimate user as long as the device keeps the session active, since the attack takes advantage of the cookie header to generate "legitimate" requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-45826 ‼
📖 Read
via "National Vulnerability Database".
Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-35986 ‼
📖 Read
via "National Vulnerability Database".
Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files. This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-38127 ‼
📖 Read
via "National Vulnerability Database".
An integer overflow exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause the parser to make an under-sized allocation, which can later allow for memory corruption, potentially resulting in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-34366 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free vulnerability exists in the Figure stream parsing functionality of Ichitaro 2023 1.0.1.59372. A specially crafted document can cause memory corruption, resulting in arbitrary code execution. Victim would need to open a malicious file to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-39431 ‼
📖 Read
via "National Vulnerability Database".
Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.📖 Read
via "National Vulnerability Database".
🕴 North Korean State Actors Attack Critical Bug in TeamCity Server 🕴
📖 Read
via "Dark Reading".
Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.📖 Read
via "Dark Reading".
Dark Reading
North Korean State Actors Attack Critical Bug in TeamCity Server
Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.