Read Time:7 Second
This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability.
Yearly Archives: 2023
ZDI-23-230: ManageEngine ServiceDesk Plus ImageUploadServlet Improper Input Validation Denial-of-Service Vulnerability
Read Time:8 Second
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ManageEngine ServiceDesk Plus. Authentication is required to exploit this vulnerability.
Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution
Read Time:36 Second
Multiple vulnerabilities have been discovered in Fortinet Products, the most severe of which could allow for arbitrary code execution. Fortinet has several products that are able to deliver high-performance network security solutions that protect your network, users, and data from continually evolving threats.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
CVE-2018-25081
Read Time:17 Second
** DISPUTED ** Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor’s position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that “Auto-fill on page load” is not enabled by default.
Smashing Security podcast #312: Rule 34, Twitter scams, and Facebook fails
Read Time:23 Second
Scammers get pwned by a Canadian granny! Don’t be seduced in a bar by an iPhone thief! And will the US Marshals be able to track down the villains who stole their data?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
Plus don’t miss our featured interview with Jason Meller of Kolide.
DSA-5371 chromium – security update
Read Time:7 Second
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
CVE-2021-33352
Read Time:11 Second
An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field.
CVE-2021-33351
Read Time:12 Second
Cross Site Scripting Vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before and fixed in v.1.3.7 allows attackers to escalte privileges via a crafted payload in the ticket message field.
USN-5939-1: Linux kernel (GCP) vulnerabilities
Read Time:4 Minute, 0 Second
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Gwangun Jung discovered a race condition in the IPv4 implementation in the
Linux kernel when deleting multipath routes, resulting in an out-of-bounds
read. An attacker could use this to cause a denial of service (system
crash) or possibly expose sensitive information (kernel memory).
(CVE-2022-3435)
It was discovered that a race condition existed in the Kernel Connection
Multiplexor (KCM) socket implementation in the Linux kernel when releasing
sockets in certain situations. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-3521)
It was discovered that the Netronome Ethernet driver in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3545)
It was discovered that the hugetlb implementation in the Linux kernel
contained a race condition in some situations. A local attacker could use
this to cause a denial of service (system crash) or expose sensitive
information (kernel memory). (CVE-2022-3623)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the Intel i915 graphics driver in the Linux kernel
did not perform a GPU TLB flush in some situations. A local attacker could
use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2022-4139)
It was discovered that a race condition existed in the Xen network backend
driver in the Linux kernel when handling dropped packets in certain
circumstances. An attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)
It was discovered that the Atmel WILC1000 driver in the Linux kernel did
not properly validate offsets, leading to an out-of-bounds read
vulnerability. An attacker could use this to cause a denial of service
(system crash). (CVE-2022-47520)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
It was discovered that the Android Binder IPC subsystem in the Linux kernel
did not properly validate inputs in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-20938)
Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
McAfee Teammates Share How They #EmbraceEquity This International Women’s Day
Read Time:3 Minute, 7 Second
International Women’s Day is a time for us to celebrate the achievements and contributions of women at McAfee and around the world. We reflect on progress, the work ahead, and how all of us can create a more equitable and inclusive world.
Collectively we can #EmbraceEquity and raise awareness of how equity leads to equality today and beyond.
See how Team McAfee embraces equity.
“As a father of two daughters, I want them to be able to embrace any opportunities they encounter and be successful at whatever they put they mind to. So, I embrace equity as it creates the best environment for everyone to succeed and simply, it’s just the right thing to do.” Andrew – Software Sales Senior Manager
“In 2023, I’m hopeful that equity will be embraced by all sectors of our society. When we collectively embrace equity, we create a more equal world that strives to be diverse, inclusive and fair.” Fiona, Accounting Senior Manager
“I embrace equity because I believe that everyone deserves to be treated fairly and have equal opportunities, regardless of their background, identity, or personal characteristics.” – Jeremy, Senior UC Engineer
“Embracing equity will help us advance into a future where we appreciate and value uniqueness of each other!” – Ambareen, Senior Manage, Content Operations & QA, DevOps
“I love the #EmbraceEquity theme as it demonstrates how the conversation has progressed to a point where we are having meaningful conversations about why equality is not enough. Equity-based solutions consider the experiences people have and with that more women can get what they need to succeed. This is a long-term solution and I’m excited for continuing this conversation going forward.” – Keegan, Senior Retail Channel Marketing Manager
“I embrace equity because it’s the right thing. But more than this, because without it there is no way we would be able to achieve our full potential.” – Aaron, VP Finance
“To me, #EmbracingEquity means to accept everyone’s differences, uniqueness, and backgrounds; the very essence that makes us each who we are.” – Deb, Executive Assistant
“Change won’t happen unless we make it happen. I embrace equity because well it’s so clearly and fundamentally the right thing to do.” – Jared, VP Legal
“Embracing Equity means recognizing and supporting women across the globe, regardless of their background. We come together to empower one another, celebrate our achievements, and continue to build workplaces where ALL women can thrive.” – Taylor, People Experience Program Manager
“I reaffirm my commitment to raise my voice to help others who need support to be heard, to enable them to succeed in their career and to lead. When we make room for diverse voices – we enrich the social fabric and through this, deepen our own perspectives.” – Natalia, Software Sales
“Gender equality is not just an issue for women to solve, it takes men and allies to lean in and truly remove those barriers. The more we can speak out, the more we can stand up and the more stories we can share the greater chance we have to truly inspire action. We can help create a more equitable world for everyone.” – Mike, Director of Global Transformation
“Humanity is diverse: we’re all unique individuals with our own passions, strengths and weaknesses. Equity is taking that uniqueness into account, so everyone has the resources and opportunities they need to succeed.” – Elodie, Security Researcher
Join McAfee and millions of others around the world in celebrating International Women’s Day by sharing how you’ll #EmbraceEquity.
Interested in finding out more about what we’re doing to drive meaningful change at McAfee? Check out our Impact Report
The post McAfee Teammates Share How They #EmbraceEquity This International Women’s Day appeared first on McAfee Blog.