Microsoft has released several monthly security fixes and updates for their products. Let’s take a look at the highlights of this month’s Patch Tuesday as we review and discuss the security updates. Microsoft Patches for February 2023 Microsoft has patched 79 vulnerabilities this month, including 3 Microsoft Edge-related vulnerabilities that were fixed earlier this month. … Continue reading “The February 2023 Patch Tuesday Security Update Review”
Year: 2023
VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)
VMware has released a patch for the cross-site request forgery vulnerability in the VMware vRealize Operations (vROps). Tracked as CVE-2023-20856, this vulnerability can be exploited by a malicious attacker to execute actions on the target platform on behalf of the authenticated victim user. VMware vRealize® Operations automates and streamlines IT administration. The tool offers … Continue reading “VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)”
Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2022-21587)
A critical remote code execution vulnerability in the Oracle E-Business suite is being exploited in the wild shortly after proof-of-concept (PoC) was published. Tracked as CVE-2022-21587, the vulnerability may allow an unauthenticated attacker to execute arbitrary code on the target system. It has been rated critical and given a CVSSv3 base score of 9.8. … Continue reading “Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2022-21587)”
GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability (Zero-Day) (CVE-2023-0669)
Fortra has released a patch for a zero-day vulnerability that affects GoAnywhere Managed File Transfer (MFT). GoAnywhere MFT instances that have the administrative console remotely accessible are affected by this vulnerability. On successful exploitation, the vulnerability will allow an attacker to execute malicious code remotely. The vulnerability is being tracked as CVE-2023-0669. GoAnywhere MFT … Continue reading “GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability (Zero-Day) (CVE-2023-0669)”
Atlassian Jira Service Management Server and Data Center Broken Authentication Vulnerability (CVE-2023-22501)
Atlassian has released a security advisory to address a critical broken authentication vulnerability in Jira Service Management Server and Data Center (CVE-2023-22501). Under certain conditions, an attacker might use this vulnerability to impersonate another user to access a Jira Service Management instance. Jira Service Management is designed to unlock high-velocity teams by allowing each team to give … Continue reading “Atlassian Jira Service Management Server and Data Center Broken Authentication Vulnerability (CVE-2023-22501)”
CentOS Web Panel 7 (CWP7) Unauthenticated Remote Code Execution Vulnerability (CVE-2022-44877)
Malicious attackers exploit a critical vulnerability in the CentOS Web Panel (CWP). Tracked as CVE-2022-44877, this vulnerability could allow an attacker to gain unauthenticated remote code execution on vulnerable servers. The exploitation of this vulnerability began after the security researcher Numan Türle of Gais Cyber Security made the proof-of-concept code publicly available. CentOS Web Panel … Continue reading “CentOS Web Panel 7 (CWP7) Unauthenticated Remote Code Execution Vulnerability (CVE-2022-44877)”
WordPress LMS Plugin LearnPress Multiple Vulnerabilities (CVE-2022-45820, CVE-2022-45808, & CVE-2022-47615)
Multiple vulnerabilities have been discovered in the WordPress online course plugin LearnPress. The vulnerabilities are being tracked as CVE-2022-45820, CVE-2022-45808, and CVE-2022-47615. These vulnerabilities could allow attackers to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution. PatchStack discovered the vulnerability. LearnPress is a comprehensive, free-to-use learning management … Continue reading “WordPress LMS Plugin LearnPress Multiple Vulnerabilities (CVE-2022-45820, CVE-2022-45808, & CVE-2022-47615)”
VMware Released Patch for Multiple Vulnerabilities in VMware vRealize Log Insight (CVE-2022-31704, CVE-2022-31706, CVE-2022-31710, & CVE-2022-31711)
VMware has released a security advisory to address multiple vulnerabilities in its vRealize Log Insight product. The vulnerabilities have CVSSv3 scores ranging from 5.3 to 9.8. The vulnerabilities are being tracked as CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711. vRealize Log Insight is used by infrastructure and applications in any environment for intelligent log management. This … Continue reading “VMware Released Patch for Multiple Vulnerabilities in VMware vRealize Log Insight (CVE-2022-31704, CVE-2022-31706, CVE-2022-31710, & CVE-2022-31711)”
Cacti Unauthenticated Command Injection Vulnerability (CVE-2022-46169)
Cacti, a web-based device monitoring tool, is vulnerable to a critical command injection vulnerability. Tracked as CVE-2022-46169, this vulnerability requires no authentication for exploitation. On successful exploitation, this could allow an unauthenticated attacker to execute arbitrary code if a specific data source was selected for any monitored device. Cacti is a network monitoring and graphing … Continue reading “Cacti Unauthenticated Command Injection Vulnerability (CVE-2022-46169)”
The January 2023 Oracle Critical Patch Update
This Oracle Critical Patch Update contains a group of patches for multiple security vulnerabilities that address 327 new security patches. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products. We urge customers to apply these time-sensitive Oracle Critical Patch Updates. … Continue reading “The January 2023 Oracle Critical Patch Update”
