Alerts

K000136957 : Apache struts vulnerability CVE-2023-41835

F5 September 22, 2023

Security Advisory Description This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available. Learn more about the ...

Debian Security Advisory 5503-1

Apple September 21, 2023

Debian Linux Security Advisory 5503-1 - Multiple security issues were discovered in Netatalk, an implementation of the Apple Filing Protocol (AFP) for offering file service (mainly) to macOS clients, which may result in the execution of arbitrary code or...

ApexSMS – 23,246,481 breached accounts

Have I Been Pwned September 21, 2023

In May 2019, news broke of a massive SMS spam operation known as "ApexSMS" which was discovered after a MongoDB instance of the same name was found exposed without a password. The incident leaked over 80M records with 23M...

[R1] Nessus Version 10.5.5 Fixes Multiple Vulnerabilities

Tenable September 21, 2023

Nessus Version 10.5.5 Fixes Multiple Vulnerabilities Arnie Cabral Thu, 09/21/2023 - 10:55 A pass-back vulnerability exists where an authenticated, remote attacker with administrator privileges could uncover stored SMTP credentials...

Rockwell Automation Connected Components Workbench

ICS-CERT September 21, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation Vendor: Rockwell Automation Equipment: Connected Components Workbench Vulnerabilities: Use After Free, Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to exploit heap corruption...

Siemens Spectrum Power 7

ICS-CERT September 21, 2023

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services...

Rockwell Automation Select Logix Communication Modules

ICS-CERT September 21, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to...

Real Time Automation 460 Series

ICS-CERT September 21, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.4 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Real Time Automation Equipment: 460MCBS Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to run malicious JavaScript content, resulting in cross site scripting...

Rockwell Automation FactoryTalk View Machine Edition

ICS-CERT September 21, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk View Machine Edition Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute code remotely with specially crafted malicious packets or...

Delta Electronics DIAScreen

ICS-CERT September 21, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: DIAScreen Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability may allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Delta Electronics reports the following versions of DIAScreen, a software configuration...

K000136924 : Node.JS vulnerabilities CVE-2018-7158, CVE-2018-7164, and CVE-2018-7166

F5 September 20, 2023

Security Advisory Description CVE-2018-7158 The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was ...

Drupal core – Critical – Cache poisoning – SA-CORE-2023-006

Drupal September 20, 2023

Project: Drupal coreDate: 2023-September-20Security risk: Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Cache poisoningAffected versions: >=8.7.0 =10.0 = 10.1 <10.1.4Description: In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to...

dBforums – 363,468 breached accounts

Have I Been Pwned September 20, 2023

In July 2016, a data breach of the now defunct database forum "dBforums" appeared for sale alongside several others hacked from the parent company, Penton. The breach of the vBulletin based forum contained 363k unique email addresses alongside usernames,...

K000136903 : OpenSSL Diffie-Hellman vulnerability CVE-2023-3446

F5 September 19, 2023

Security Advisory Description Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_ ...

Omron Engineering Software

ICS-CERT September 19, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Low attack complexity Vendor: Omron Equipment: Sysmac Studio Vulnerability: Improper Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Omron engineering software are...

Omron Engineering Software Zip-Slip

ICS-CERT September 19, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Low attack complexity Vendor: Omron Equipment: Sysmac Studio, NX-IO Configurator Vulnerability: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to overwrite files on a system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of...

Omron CJ/CS/CP Series

ICS-CERT September 19, 2023

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Omron Equipment: Sysmac CJ/CS/CP Series Vulnerability: Improper Control of Interaction Frequency 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information in memory. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The...

Siemens SIMATIC PCS neo Administration Console

ICS-CERT September 19, 2023

K41043270 : Intel processor vulnerabilities CVE-2021-0086 and CVE-2021-0089

F5 September 18, 2023

Security Advisory Description CVE-2021-0086 Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information ...

FBI Director Christopher Wray Speaks at 2023 mWISE Cybersecurity Conference

FBI Most Wanted (Cyber) September 18, 2023

FBI Director Christopher Wray reaffirmed the FBI’s stance on countering artificial intelligence (AI) and cyberspace threats and posed a call to action to strengthen private sector and government partnerships in fighting both domestic and foreign adversaries.

LATEST NEWS

From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese

The Hacker News September 25, 2023

Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed EvilBamboo to gather sensitive information. "The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based...

In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover

SecurityWeek September 25, 2023

A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers. The post In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover appeared first on SecurityWeek.