It wasn’t a great weekend for video game fans, as players of Diablo IV multiplayer role-playing game were greeted with an error message as it tried to connect to the servers of developer Blizzard.
Daily Archives: June 26, 2023
Critical flaw in VMware Aria Operations for Networks sees mass exploitation
Researchers warn that a vulnerability patched this month in VMware Aria Operations for Networks, formerly known as vRealize Network Insight, is now seeing exploitation en masse. The flaw allows for remote code execution through command injection and is rated with critical severity.
“New data from Akamai shows the scale of active scanning for sites vulnerable to CVE-2023-20887 is much greater than originally reported,” researchers from Akamai told CSO via email. “There have been 695,072 total attacks thus far by 508 unique IP addresses. Akamai has also observed more than 27,000 of its customers’ sites being scanned.”
Not the only VMware Aria Operations flaw
VMware released patches for the CVE-2023-20887 vulnerability on June 7, along with fixes for two other flaws in Aria Operations for Networks, one of which is also critical and can lead to remote code execution. While CVE-2023-20887 is a command injection flaw, the second vulnerability, tracked as CVE-2023-20888, is a deserialization issue. In programming languages, serialization is the process of transforming data into a byte stream for transmission to another application and deserialization is the reverse of that process. Because deserialization routines involve the parsing and interpretation of user-controlled data, they have been the source of many vulnerabilities.
python-reportlab-4.0.4-2.fc38
FEDORA-2023-553fe307dc
Packages in this update:
python-reportlab-4.0.4-2.fc38
Update description:
Release 4.0.4
python-reportlab-4.0.4-2.fc37
FEDORA-2023-3b82f4aa86
Packages in this update:
python-reportlab-4.0.4-2.fc37
Update description:
Release 4.0.4
CVE-2021-31635
Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function.
CVE-2020-23066
Cross Site Scripting vulnerability in TinyMCE v.4.9.6 and before and v.5.0.0 thru v.5.1.4 allows an attacker to execute arbitrary code via the editor function.
CVE-2020-23065
Cross Site Scripting vulnerabiltiy in eZ Systems AS uZPublish Platform v.5.4 and eZ Publish Legacy v.5.4 allows a remote authenticated attacker to execute arbitrary code via the video-js.swf.swf.
CVE-2020-23064
Cross Site Scripting vulnerability in jQuery v.2.2.0 thru v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.
CVE-2020-20210
Bludit 3.9.2 is vulnerable to Remote Code Execution (RCE) via /admin/ajax/upload-images.
Latest MOVEit exploit hits thousands of NYC school students and staff
Personal data of over 45,000 public school students was compromised in a breach involving the file-transfer software MOVEit, according to a community letter sent to families and staff by the New York City Department of Education.
“DOE used MOVEit to transfer documents and data internally as well as to and from vendors, including third party special education service providers,” the letter said.
The breach is the latest expoit of a SQL injection vulnerability found in MOVEit Transfer, a widely used file transfer software by Progress Software.