βΌ CVE-2023-46288 βΌ
π Read
via "National Vulnerability Database".
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0.Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_configΓ option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_configΓ to non-sensitive-onlyΓ configuration. This is a different error than CVE-2023-45348Γ which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2).Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixesΓ CVE-2023-45348.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38722 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262174.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43045 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized actions due to improper authentication. IBM X-Force ID: 266896.π Read
via "National Vulnerability Database".
π΄ Valve's 2FA Mandate for Game Developers Shows SMS Stickiness π΄
π Read
via "Dark Reading".
Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.π Read
via "Dark Reading".
Dark Reading
Valve's 2FA Mandate for Game Developers Shows SMS Stickiness
Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.
π΄ Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices π΄
π Read
via "Dark Reading".
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend β but it turns out the malicious implants were just hiding.π Read
via "Dark Reading".
Dark Reading
Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend β but it turns out the malicious implants were just hiding.
βΌ CVE-2023-27152 βΌ
π Read
via "National Vulnerability Database".
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27149 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Label input parameter when updating a custom list.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22466 βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 225222.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37636 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in UVDesk Community Skeleton v1.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field when creating a ticket.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33839 βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Governance 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 256036.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46602 βΌ
π Read
via "National Vulnerability Database".
In International Color Consortium DemoIccMAX 79ecb74, there is a stack-based buffer overflow in the icFixXml function in IccXML/IccLibXML/IccUtilXml.cpp in libIccXML.a.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33840 βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 256037.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46603 βΌ
π Read
via "National Vulnerability Database".
In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.π Read
via "National Vulnerability Database".
βΌ CVE-2023-37635 βΌ
π Read
via "National Vulnerability Database".
UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.π Read
via "National Vulnerability Database".
βΌ CVE-2023-33837 βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45966 βΌ
π Read
via "National Vulnerability Database".
umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27148 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the Admin panel in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Role Name parameter.π Read
via "National Vulnerability Database".
π₯2
βΌ CVE-2023-46058 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Geeklog-Core geeklog v.2.2.2 allows a remote attacker to execute arbitrary code via a crafted payload to the grp_desc parameter of the admin/group.php component.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46059 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Geeklog-Core geeklog v.2.2.2 allows a remote attacker to execute arbitrary code via a crafted payload to the Service, and website URL to Ping parameters of the admin/trackback.php component.π Read
via "National Vulnerability Database".
π¦Ώ Generative AI Can Write Phishing Emails, But Humans Are Better At It, IBM X-Force Finds π¦Ώ
π Read
via "Tech Republic".
Hacker Stephanie "Snow" Carruthers and her team found phishing emails written by security researchers saw a 3% better click rate than phishing emails written by ChatGPT.π Read
via "Tech Republic".
TechRepublic
Generative AI Can Write Phishing Emails, But Humans are Better at It, IBM X-Force Finds
Hacker Stephanie "Snow" Carruthers and her team found phishing emails written by security researchers saw a 3% better click rate than phishing emails written by ChatGPT.
π΄ 'Log in with...' Feature Allows Full Online Account Takeover for Millions π΄
π Read
via "Dark Reading".
Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires -- and other online services likely have the same problems.π Read
via "Dark Reading".
Dark Reading
'Log in with...' Feature Allows Full Online Account Takeover for Millions
Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires β and other online services likely have the same problems.