Oracle WebLogic server is vulnerable to an information disclosure flaw that can lead to remote code execution. Assigned with CVE-2023-21839, an attacker can exploit this vulnerability to gain unauthorized access to critical data. The vulnerability started getting noticed shortly after proof of concept (PoC) was published. Oracle WebLogic Server is a product of Oracle Fusion … Continue reading “Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2023-21839)”
Author: Diksha Ojha
Joomla! Webservice Endpoints Improper Access Control Vulnerability (CVE-2023-23752)
A high-severity improper access control vulnerability has been discovered in various Joomla! CMS instances. Tracked as CVE-2023-23752, the vulnerability may allow an attacker to get unauthorized access to webservice endpoints and access sensitive information of the target application. On January 8, 2024, CISA added the CVE-2023-27524 to the Known Exploited Vulnerabilities Catalog. CISA has recommended users … Continue reading “Joomla! Webservice Endpoints Improper Access Control Vulnerability (CVE-2023-23752)”
VMware Carbon Black App Control Injection Vulnerability (CVE-2023-20858)
VMware patched a critical severity vulnerability in its Carbon Black App Control Server. Assigned with CVE-2023-20858, the vulnerability could allow an attacker to gain complete control of the target system. The vulnerability has a CVSSv3 base score of 9.1. VMware Carbon Black App Control provides application control and critical infrastructure protection. The VMware product … Continue reading “VMware Carbon Black App Control Injection Vulnerability (CVE-2023-20858)”
TerraMaster NAS Remote Code Execution Vulnerability (CVE-2022-24990)
TerraMaster NAS devices are vulnerable to a remote command execution vulnerability that could allow an unauthenticated attacker to execute commands as root. Tracked as CVE-2022-24990, the vulnerability is exploited via PHP Object Instantiation. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requesting users to patch it soon. NAS (network-attached … Continue reading “TerraMaster NAS Remote Code Execution Vulnerability (CVE-2022-24990)”
Citrix Patches Multiple Vulnerabilities in Workspace, Virtual App, and Desktop (CVE-2023-24483, CVE-2023-24484, CVE-2023-24485, CVE-2023-24486)
Citrix has released security advisories to address multiple high-severity vulnerabilities affecting Workspace, Virtual Apps, and Desktops. The vulnerabilities are assigned with CVE-2023-24483, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24486. On successful exploitation, these vulnerabilities can have severe consequences ranging from privilege escalation to session takeover. Citrix products are used in various organizations worldwide for handling multiple operations. … Continue reading “Citrix Patches Multiple Vulnerabilities in Workspace, Virtual App, and Desktop (CVE-2023-24483, CVE-2023-24484, CVE-2023-24485, CVE-2023-24486)”
Apple Patches Zero-day Vulnerability in WebKit (CVE-2023-23529)
Apple has released security advisories to address a vulnerability in WebKit. The vulnerability has been assigned with the CVE-2023-23529. It affects multiple devices, including macOS, iPadOS, and iOS. Apple has mentioned in its advisory that they are aware of a report that the CVE-2023-23529 may have been actively exploited. The zero-day vulnerability might be used … Continue reading “Apple Patches Zero-day Vulnerability in WebKit (CVE-2023-23529)”
VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)
VMware has released a patch for the cross-site request forgery vulnerability in the VMware vRealize Operations (vROps). Tracked as CVE-2023-20856, this vulnerability can be exploited by a malicious attacker to execute actions on the target platform on behalf of the authenticated victim user. VMware vRealize® Operations automates and streamlines IT administration. The tool offers … Continue reading “VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)”
Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2022-21587)
A critical remote code execution vulnerability in the Oracle E-Business suite is being exploited in the wild shortly after proof-of-concept (PoC) was published. Tracked as CVE-2022-21587, the vulnerability may allow an unauthenticated attacker to execute arbitrary code on the target system. It has been rated critical and given a CVSSv3 base score of 9.8. … Continue reading “Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2022-21587)”
GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability (Zero-Day) (CVE-2023-0669)
Fortra has released a patch for a zero-day vulnerability that affects GoAnywhere Managed File Transfer (MFT). GoAnywhere MFT instances that have the administrative console remotely accessible are affected by this vulnerability. On successful exploitation, the vulnerability will allow an attacker to execute malicious code remotely. The vulnerability is being tracked as CVE-2023-0669. GoAnywhere MFT … Continue reading “GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability (Zero-Day) (CVE-2023-0669)”
Atlassian Jira Service Management Server and Data Center Broken Authentication Vulnerability (CVE-2023-22501)
Atlassian has released a security advisory to address a critical broken authentication vulnerability in Jira Service Management Server and Data Center (CVE-2023-22501). Under certain conditions, an attacker might use this vulnerability to impersonate another user to access a Jira Service Management instance. Jira Service Management is designed to unlock high-velocity teams by allowing each team to give … Continue reading “Atlassian Jira Service Management Server and Data Center Broken Authentication Vulnerability (CVE-2023-22501)”
