It was discovered that LibRaw incorrectly handled certain photo files. If a
user o automated system were tricked into processing a specially crafted
photo file, a remote attacker could possibly cause applications linked
against LibRaw to crash, resulting in a denial of service.
It was discovered that c-ares incorrectly parsed certain SOA replies. A
remote attacker could possibly use this issue to cause c-res to crash,
resulting in a denial of service.
Remember last November, when hackers broke into the network for LastPass—a password database—and stole password vaults with both encrypted and plaintext data for over 25 million users?
Well, they’re now using that data break into crypto wallets and drain them: $35 million and counting, all going into a single wallet.
That’s a really profitable hack. (It’s also bad opsec. The hackers need to move and launder all that money quickly.)
Look, I know that online password databases are more convenient. But they’re also risky. This is why my Password Safe is local only. (I know this sounds like a commercial, but Password Safe is not a commercial product.)
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Sep 18
SEC Consult Vulnerability Lab Security Advisory < 20230918-0 >
=======================================================================
title: Authenticated Remote Code Execution and
Missing Authentication
product: Atos Unify OpenScape Session Border Controller
Atos Unify OpenScape Branch
Atos Unify OpenScape BCF
vulnerable version: OpenScape SBC…
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Sep 18
SEC Consult Vulnerability Lab Security Advisory < 20230829-0 >
=======================================================================
title: Reflected Cross-Site Scripting (XSS)
product: PTC – Codebeamer (ALM Solution)
vulnerable version: <=22.10-SP7, <=22.04-SP5, <=21.09-SP13
fixed version: >=22.10-SP8, >=22.04-SP6, >=21.09-SP14
CVE number: CVE-2023-4296…
Posted by Apple Product Security via Fulldisclosure on Sep 18
APPLE-SA-2023-09-11-3 macOS Big Sur 11.7.10
macOS Big Sur 11.7.10 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213915.
Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
ImageIO
Available for: macOS Big Sur
Impact: Processing a maliciously crafted image may lead to arbitrary
code…
Posted by Apple Product Security via Fulldisclosure on Sep 18
APPLE-SA-2023-09-11-2 macOS Monterey 12.6.9
macOS Monterey 12.6.9 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213914.
Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
ImageIO
Available for: macOS Monterey
Impact: Processing a maliciously crafted image may lead to arbitrary…
Posted by Apple Product Security via Fulldisclosure on Sep 18
APPLE-SA-2023-09-11-1 iOS 15.7.9 and iPadOS 15.7.9
iOS 15.7.9 and iPadOS 15.7.9 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213913.
Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
ImageIO
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st…
Posted by Oliver Schwarz via Fulldisclosure on Sep 18
Advisory ID: SYSS-2023-002
Product: Razer Synapse
Manufacturer: Razer Inc.
Affected Version(s): Versions before 3.8.0428.042117 (20230601)
Tested Version(s): 3.8.0228.022313 (20230315)
under Windows 10 Pro (10.0.19044)
under Windows 11 Home (10.0.22621)
Vulnerability Type: Improper Privilege Management (CWE-269)…
roundcubemail-1.5.4-1.el9
Version 1.5.4
Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
Fix so N property always exists in a vCard export (#8771)
Fix so rcmail::format_date() works with DateTimeImmutable input (#8867)
Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)
