Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly
handled user-specified editors when using the sudoedit command. A local
attacker that has permission to use the sudoedit command could possibly use
this issue to edit arbitrary files. (CVE-2023-22809)
It was discovered that the Protobuf-c library, used by Sudo, incorrectly
handled certain arithmetic shifts. An attacker could possibly use this
issue to cause Sudo to crash, resulting in a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-33070)
The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.
If you are using Drupal 10.0, update to Drupal 10.0.2.
If you are using Drupal 9.5, update to Drupal 9.5.2.
If you are using Drupal 9.4, update to Drupal 9.4.10.
A vulnerability classified as critical has been found in ale7714 sigeprosi. This affects an unknown part. The manipulation leads to sql injection. The name of the patch is 5291886f6c992316407c376145d331169c55f25b. It is recommended to apply a patch to fix this issue. The identifier VDB-218493 was assigned to this vulnerability.
A vulnerability was found in iamdroppy phoenixcf. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file content/2-Community/articles.cfm. The manipulation leads to sql injection. The name of the patch is d156faf8bc36cd49c3b10d3697ef14167ad451d8. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218491.
Graham Cluley Security News is sponsored this week by the folks at SecurEnvoy. Thanks to the great team there for their support! We are often approached by organisations that depend on on-premise applications and data storage, who are looking for a multi-factor authentication solution, but are unable to move to a cloud-based solution for authentication. … Continue reading “Does your MFA solution secure access to your on-premise apps as well as those in the cloud?”
Threat protection company Perception Point has launched Advanced Threat Protection for Zendesk to provide detection and remediation services for Zendesk customers. Perception Point said that customers can now protect customer service software Zendesk a single, consolidated platform alongside their email, web browsers and other cloud collaboration apps. Advanced Threat Protection for Zendesk has been built to help secure vulnerable help desks and customer support teams from external threats such as malicious content within tickets, the firm stated.
Help desk, customer service teams key attack targets
In organizations, help desk and customer support staff often have access to workstations, mobile devices, routers, and servers, as well as the complete digital workplace system and the data associated with it. They also typically communicate regularly with people outside of the organization. These factors make them attractive attack targets and particularly vulnerable to external threats originating from malicious content. Content uploaded externally can potentially be used as a vehicle for cyberattacks, allowing malicious payloads to enter an organization’s system, Perception Point noted in its announcement.
