🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46667 ‼

An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Serverâ€™s log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retrieve other secrets in the policy including for Elasticsearch and third-party services. Alternatively a threat actor could potentially enrol agents to the clusters and send arbitrary events to Elasticsearch.

📖 Read

via "National Vulnerability Database".

240 views05:44

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46668 ‼

If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext. These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts.

📖 Read

via "National Vulnerability Database".

269 views05:44

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-31422 ‼

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users.

📖 Read

via "National Vulnerability Database".

359 views05:44

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-43905 ‼

Incorrect access control in writercms v1.1.0 allows attackers to directly obtain backend account passwords via unspecified vectors.

📖 Read

via "National Vulnerability Database".

413 views05:44

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-5139 ‼

Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver

📖 Read

via "National Vulnerability Database".

409 views10:29

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46754 ‼

The admin panel for Obl.ong before 1.1.2 allows authorization bypass because the email OTP feature accepts arbitrary numerical values.

📖 Read

via "National Vulnerability Database".

436 views10:29

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46752 ‼

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.

📖 Read

via "National Vulnerability Database".

458 views10:29

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-5798 ‼

The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks

📖 Read

via "National Vulnerability Database".

418 views12:15

🛡 Cybersecurity & Privacy 🛡 - News

🕴 Complex Spy Platform StripedFly Bites 1M Victims 🕴

Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

📖 Read

via "Dark Reading".

Dark Reading

Complex Spy Platform StripedFly Bites 1M Victims

Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

371 views13:30

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-30492 ‼

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Vark Minimum Purchase for WooCommerce plugin <=Â 2.0.0.1 versions.

📖 Read

via "National Vulnerability Database".

❤1

289 views14:15

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46094 ‼

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Conversios Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce plugin <=Â 6.5.3 versions.

📖 Read

via "National Vulnerability Database".

279 views14:15

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-5802 ‼

Cross-Site Request Forgery (CSRF) vulnerability in Mihai Iova WordPress Knowledge base & Documentation Plugin â€“ WP Knowledgebase plugin <=Â 1.3.4 versions.

📖 Read

via "National Vulnerability Database".

284 views14:15

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46081 ‼

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Lavacode Lava Directory Manager plugin <=Â 1.1.34 versions.

📖 Read

via "National Vulnerability Database".

238 views14:15

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46076 ‼

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RedNao WooCommerce PDF Invoice Builder, Create invoices, packing slips and more plugin <=Â 1.2.102 versions.

📖 Read

via "National Vulnerability Database".

220 views14:15

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46075 ‼

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpdevart Contact Form Builder, Contact Widget plugin <=Â 2.1.6 versions.

📖 Read

via "National Vulnerability Database".

211 views14:15

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46074 ‼

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Borbis Media FreshMail For WordPress plugin <=Â 2.3.2 versions.

📖 Read

via "National Vulnerability Database".

207 views14:16

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46072 ‼

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <=Â 2.0.9 versions.

📖 Read

via "National Vulnerability Database".

197 views14:16

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-46088 ‼

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin <=Â 1.6.1 versions.

📖 Read

via "National Vulnerability Database".

168 views14:16

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-32116 ‼

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in TotalPress.Org Custom post types, Custom Fields & more plugin <=Â 4.0.12 versions.

📖 Read

via "National Vulnerability Database".

173 views14:16

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2020-17477 ‼

Incorrect LDAP ACLs in ucs-school-ldap-acls-master in UCS@school before 4.4v5-errata allow remote teachers, staff, and school administrators to read LDAP password hashes (sambaNTPassword, krb5Key, sambaPasswordHistory, and pwhistory) via LDAP search requests. For example, a teacher can gain administrator access via an NTLM hash.

📖 Read

via "National Vulnerability Database".

183 views14:16

🛡 Cybersecurity & Privacy 🛡 - News

‼ CVE-2023-5781 ‼

A vulnerability, which was classified as critical, has been found in Tongda OA 2017 11.10. This issue affects the function DELETE_STR of the file general/system/res_manage/monitor/delete_webmail.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-243587. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

📖 Read

via "National Vulnerability Database".

217 views14:16

About

Blog

Apps

Platform