βΌ CVE-2023-5695 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in CodeAstro Internet Banking System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file pages_reset_pwd.php. The manipulation of the argument email with the input testing%40example.com'%26%25<ScRiPt%20>alert(9860)</ScRiPt> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-243133 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46089 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Lee Le @ Userback Userback plugin <=Γ 1.0.13 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5696 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in CodeAstro Internet Banking System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file pages_transfer_money.php. The manipulation of the argument account_number with the input 357146928--><ScRiPt%20>alert(9206)</ScRiPt><!-- leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-243134 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46315 βΌ
π Read
via "National Vulnerability Database".
The zanllp sd-webui-infinite-image-browsing (aka Infinite Image Browsing) extension before 977815a for stable-diffusion-webui (aka Stable Diffusion web UI), if Gradio authentication is enabled without secret key configuration, allows remote attackers to read any local file via /file?path= in the URL, as demonstrated by reading /proc/self/environ to discover credentials.π Read
via "National Vulnerability Database".
π΄ FedRAMP Rev. 5: How Cloud Service Providers Can Prepare π΄
π Read
via "Dark Reading".
What cloud service providers need to know to prepare for FedRAMP Baselines Rev. 5, as documented in the new Transition Guide.π Read
via "Dark Reading".
Dark Reading
FedRAMP Rev. 5: How Cloud Service Providers Can Prepare
What cloud service providers need to know to prepare for FedRAMP Baselines Rev. 5, as documented in the new Transition Guide.
π¦Ώ Penetration Testing and Scanning Policy π¦Ώ
π Read
via "Tech Republic".
System or network vulnerabilities and security threats can severely impact business operations or even shutter its doors. However, these incidents can be prevented by proactively detecting potential threat opportunities. The purpose of this policy from TechRepublic Premium is to provide guidelines for appropriate penetration testing and scanning of computer systems and networks. It includes preparation, ...π Read
via "Tech Republic".
TechRepublic
Penetration Testing and Scanning Policy
System or network vulnerabilities and security threats can severely impact business operations or even shutter its doors. However, these incidents can be
βΌ CVE-2023-43624 βΌ
π Read
via "National Vulnerability Database".
CX-Designer Ver.3.740 and earlier (included in CX-One CXONE-AL[][]D-V4) contains an improper restriction of XML external entity reference (XXE) vulnerability. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Designer is installed may be disclosed.π Read
via "National Vulnerability Database".
βΌ CVE-2023-31122 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43622 βΌ
π Read
via "National Vulnerability Database".
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.Users are recommended to upgrade to version 2.4.58, which fixes the issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45802 βΌ
π Read
via "National Vulnerability Database".
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.This was found by the reporter during testing ofΓ CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.Users are recommended to upgrade to version 2.4.58, which fixes the issue.π Read
via "National Vulnerability Database".
βοΈ NJ Man Hired Online to Firebomb, Shoot at Homes Gets 13 Years in Prison βοΈ
π Read
via "Krebs on Security".
A 22-year-old New Jersey man has been sentenced to more than 13 years in prison for participating in a firebombing and a shooting at homes in Pennsylvania last year. Patrick McGovern-Allen was the subject of a Sept. 4, 2022 story here about the emergence of "violence-as-a-service" offerings, where random people from the Internet hire themselves out to perform a variety of local, physical attacks, including firebombing a home, "bricking" windows, slashing tires, or performing a drive-by shooting at someone's residence.π Read
via "Krebs on Security".
Krebs on Security
NJ Man Hired Online to Firebomb, Shoot at Homes Gets 13 Years in Prison
A 22-year-old New Jersey man has been sentenced to more than 13 years in prison for participating in a firebombing and a shooting at homes in Pennsylvania last year. Patrick McGovern-Allen was the subject of a Sept. 4, 2022 storyβ¦
π΄ Telling Small Businesses to Buy Cyber Insurance Isn't Enough π΄
π Read
via "Dark Reading".
To protect themselves from threats, companies also need proactive cybersecurity.π Read
via "Dark Reading".
Dark Reading
Telling Small Businesses to Buy Cyber Insurance Isn't Enough
To protect themselves from threats, companies also need proactive cybersecurity.
βΌ CVE-2023-5246 βΌ
π Read
via "National Vulnerability Database".
Authentication Bypass by Capture-replay in SICK Flexi Soft Gateways with Partnumbers 1044073, 1127717, 1130282, 1044074, 1121597, 1099832, 1051432, 1127487, 1069070, 1112296, 1044072, 1121596, 1099830 allows an unauthenticated remote attacker to potentially impact the availabilty, integrity and confidentaility of the gateways via an authentication bypass by capture-replay.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43065 βΌ
π Read
via "National Vulnerability Database".
Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26737 βΌ
π Read
via "National Vulnerability Database".
The Zscaler Client Connector for macOS prior to 3.6 did not sufficiently validate RPC clients. A local adversary without sufficient privileges may be able to shutdown the Zscaler tunnel by exploiting a race condition.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28796 βΌ
π Read
via "National Vulnerability Database".
Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injection. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28804 βΌ
π Read
via "National Vulnerability Database".
An Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows replacing binaries.This issue affects Linux Client Connector: before 1.4.0.105π Read
via "National Vulnerability Database".
βΌ CVE-2023-43074 βΌ
π Read
via "National Vulnerability Database".
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26738 βΌ
π Read
via "National Vulnerability Database".
Zscaler Client Connector for macOS prior to 3.7 had an unquoted search path vulnerability via the PATH variable. A local adversary may be able to execute code with root privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28797 βΌ
π Read
via "National Vulnerability Database".
Zscaler Client Connector for Windows before 4.1 writes/deletes a configuration file inside specific folders on the disk. A malicious user can replace the folder and execute code as a privileged user.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26734 βΌ
π Read
via "National Vulnerability Database".
Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated context.π Read
via "National Vulnerability Database".