βΌ CVE-2023-5831 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors.π Read
via "National Vulnerability Database".
βΌ CVE-2023-47185 βΌ
π Read
via "National Vulnerability Database".
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments Γ’β¬β wpDiscuz plugin <=Γ 7.6.11 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46779 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in EasyRecipe plugin <=Γ 3.5.3251 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46781 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Roland Murg Current Menu Item for Custom Post Types plugin <=Γ 1.5 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4996 βΌ
π Read
via "National Vulnerability Database".
Netskope was made aware of a security vulnerability in its NSClient product for version 100 & prior where a malicious non-admin user can disable the Netskope client by using a specially-crafted package. The root cause of the problem was a user control code when called by a Windows ServiceController did not validate the permissions associated with the user before executing the user control code. This user control code had permissions to terminate the NSClient service.Γ π Read
via "National Vulnerability Database".
βΌ CVE-2023-5090 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46775 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Djo Original texts Yandex WebMaster plugin <=Γ 1.18 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5823 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <=Γ 2.2.11 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46778 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in TheFreeWindows Auto Limit Posts Reloaded plugin <=Γ 2.5 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-46776 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Serena Villa Auto Excerpt everywhere plugin <=Γ 1.5 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5825 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service.π Read
via "National Vulnerability Database".
βΌ CVE-2023-47186 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Kadence WP Kadence WooCommerce Email Designer plugin <=Γ 1.5.11 versions.π Read
via "National Vulnerability Database".
βοΈ Whoβs Behind the SWAT USA Reshipping Service? βοΈ
π Read
via "Krebs on Security".
Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today's Part II, we'll examine clues about the real-life identity left behind by "Fearless," the nickname chosen by the proprietor of the SWAT USA Drops service.π Read
via "Krebs on Security".
Krebs on Security
Whoβs Behind the SWAT USA Reshipping Service?
Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today's Part II, we'll examine clues aboutβ¦
π΄ Meet Your New Cybersecurity Auditor: Your Insurer π΄
π Read
via "Dark Reading".
As cyber insurance gets more expensive and competitive, security decision-makers have actionable opportunities to strengthen their cyber defenses.π Read
via "Dark Reading".
Dark Reading
Meet Your New Cybersecurity Auditor: Your Insurer
As cyber insurance gets more expensive and competitive, security decision-makers have actionable opportunities to strengthen their cyber defenses.
βΌ CVE-2023-3246 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5963 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3399 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4910 βΌ
π Read
via "National Vulnerability Database".
A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45163 βΌ
π Read
via "National Vulnerability Database".
The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UIπ Read
via "National Vulnerability Database".
βΌ CVE-2023-5964 βΌ
π Read
via "National Vulnerability Database".
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.To remediate this issue DELETE the instructionΓ Γ’β¬ΕShow dialogue with caption %Caption% and message %Message%Γ’β¬οΏ½ from the list of instructions in the Settings UI, and replace it with the new instructionΓ 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show asΓ Γ’β¬ΕShow %Type% type notification with header %Header% and message %Message%Γ’β¬οΏ½ with a version of 7.1 or above.π Read
via "National Vulnerability Database".
βΌ CVE-2023-45161 βΌ
π Read
via "National Vulnerability Database".
The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UIπ Read
via "National Vulnerability Database".