βΌ CVE-2023-45996 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.π Read
via "National Vulnerability Database".
βοΈ .US Harbors Prolific Malicious Link Shortening Service βοΈ
π Read
via "Krebs on Security".
The top-level domain for the United States -- .US -- is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.π Read
via "Krebs on Security".
Krebs on Security
.US Harbors Prolific Malicious Link Shortening Service
The top-level domain for the United States -- .US -- is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heelsβ¦
βΌ CVE-2023-5099 βΌ
π Read
via "National Vulnerability Database".
The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other Γ’β¬ΕsafeΓ’β¬οΏ½ file types can be uploaded and included.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5114 βΌ
π Read
via "National Vulnerability Database".
The idbbee plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idbbee' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-38994 βΌ
π Read
via "National Vulnerability Database".
An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5073 βΌ
π Read
via "National Vulnerability Database".
The iframe forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'iframe' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5116 βΌ
π Read
via "National Vulnerability Database".
The Live updates from Excel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ipushpull_page' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2016-1203 βΌ
π Read
via "National Vulnerability Database".
Improper file verification vulnerability in SaAT Netizen installer ver.1.2.0.424 and earlier, and SaAT Netizen ver.1.2.0.8 (Build427) and earlier allows a remote unauthenticated attacker to conduct a man-in-the-middle attack. A successful exploitation may result in a malicious file being downloaded and executed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3007 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPPORTED WHEN ASSIGNED ** The vulnerability exists in Syska SW100 Smartwatch due to an improper implementation and/or configuration of Nordic Device Firmware Update (DFU) which is used for performing Over-The-Air (OTA) firmware updates on the Bluetooth Low Energy (BLE) devices. An unauthenticated attacker could exploit this vulnerability by setting arbitrary values to handle on the vulnerable device over Bluetooth.Successful exploitation of this vulnerability could allow the attacker to perform firmware update, device reboot or data manipulation on the target device.π Read
via "National Vulnerability Database".
π΄ 'Elektra-Leak' Attackers Harvest AWS Cloud Keys in GitHub Campaign π΄
π Read
via "Dark Reading".
Cyber adversaries are scanning public GitHub repositories in real-time, evading Amazon quarantine controls, and harvesting AWS keys.π Read
via "Dark Reading".
Dark Reading
'Elektra-Leak' Attackers Harvest AWS Cloud Keys in GitHub Campaign
Cyber adversaries are scanning public GitHub repositories in real-time, evading Amazon quarantine controls, and harvesting AWS keys.
βΌ CVE-2023-5458 βΌ
π Read
via "National Vulnerability Database".
The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4610 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** The SRCU code was added in upstream kernel v6.4-rc1 and removed before v6.4. This bug only existed in development kernels. Please see https://lore.kernel.org/all/ZTKVfoQZplpB8rki@casper.infradead.org and https://bugzilla.suse.com/show_bug.cgi?id=1215932 for more information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46979 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK X6000R V9.4.0cu.852_B20230719 was discovered to contain a command injection vulnerability via the enable parameter in the setLedCfg function.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5360 βΌ
π Read
via "National Vulnerability Database".
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25045 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 9.9.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22518 βΌ
π Read
via "National Vulnerability Database".
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5211 βΌ
π Read
via "National Vulnerability Database".
The Fattura24 WordPress plugin before 6.2.8 does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-42658 βΌ
π Read
via "National Vulnerability Database".
Archive, check and export commands in Chef InSpecprior to 4.56.58 and 5.22.29 allow local command execution via maliciouslycrafted profile.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25047 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 9.9.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5307 βΌ
π Read
via "National Vulnerability Database".
The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46237 βΌ
π Read
via "National Vulnerability Database".
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, an endpoint intended to offer limited enumeration abilities to authenticated users was accessible to unauthenticated users. This enabled unauthenticated users to discover files and their respective paths that were visible to the Apache user group. Version 1.5.10 contains a patch for this issue.π Read
via "National Vulnerability Database".