Security researchers at Horizon3.ai have discovered two path traversal vulnerabilities in PapertCut NG/MF application servers. An attacker with direct IP address access may chain these vulnerabilities to read and write arbitrary files. CVE-2023-39143 has been rated with a CVSS score of 8.4 PaperCut is a comprehensive Print management software used in many industries worldwide. To … Continue reading “PaperCut NG/MF Chained Path Traversal Vulnerability in Authenticated API (CVE-2023-39143)”
Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35082)
Stephen Fewer from Rapid7 has discovered a vulnerability in the Ivanti EPMM. The vulnerability was found when the researchers were investigating another zero-day vulnerability CVE-2023-35078. Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to access the API and user information. CVE-2023-35082 has been given the critical severity rating with a CVSS score 10. … Continue reading “Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35082)”
Zimbra Collaboration Suite Cross-Site Scripting Vulnerability (CVE-2023-37580) Added to CISA Known Exploited Vulnerabilities Catalog
Attackers are exploiting a critical Zimbra Collaboration Suite cross-site scripting vulnerability. CVE-2023-37580 affects the Zimbra Classic Web Client. Successful exploitation of the vulnerability may allow an attacker to compromise the confidentiality and integrity of the target system. CISA has added the CVE-2023-37580 to its Known Exploited Vulnerabilities Catalog urging users to apply the patch before … Continue reading “Zimbra Collaboration Suite Cross-Site Scripting Vulnerability (CVE-2023-37580) Added to CISA Known Exploited Vulnerabilities Catalog”
Qualys Research Team Discovered Multiple Cross-Site Scripting Vulnerabilities in Webmin
The Qualys Research Team discovered nine high and critical severity vulnerabilities in Webmin. The successful exploitation of cross-site scripting (XSS) vulnerabilities could cause severe damage to users and the overall security of the application. Webmin is used to change and manage open-source applications like BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more, … Continue reading “Qualys Research Team Discovered Multiple Cross-Site Scripting Vulnerabilities in Webmin”
Ivanti Endpoint Manager Mobile (EPMM) Remote Arbitrary File Write Vulnerability (CVE-2023-35081)
Ivanti EPMM, formerly MobileIron Core, is facing another zero-day vulnerability CVE-2023-35081. Successful exploitation of the vulnerability will allow an authenticated administrator to perform arbitrary file writes to the EPMM server. Arbitrary file write (AFW) is a type of vulnerability that can allow attackers to escalate their privileges and even achieve remote code execution (RCE) on … Continue reading “Ivanti Endpoint Manager Mobile (EPMM) Remote Arbitrary File Write Vulnerability (CVE-2023-35081)”
Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35078)
A zero-day authentication bypass vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM). CVE-2023-35078 has been given critical severity ratings with a CVSS score of 10. Successful exploitation of the vulnerability may allow unauthorized users to access restricted functionality or resources of the application. CISA has added a publicly exploited CVE-2023-35078 to its Known … Continue reading “Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35078)”
Apple Patches Zero-day Vulnerability Used in Attacks Against iOS 15.7.1 (CVE-2023-38606)
Apple has released a patch to address a zero-day vulnerability (CVE-2023-38606). The security updates fix the vulnerability in multiple products such as macOS Ventura, Monterey, Big Sur, iOS, and iPadOS. Apple has mentioned in the advisory that they are aware of the active exploitation of the vulnerability in attacks against versions of iOS 15.7.1. Valentin … Continue reading “Apple Patches Zero-day Vulnerability Used in Attacks Against iOS 15.7.1 (CVE-2023-38606)”
Atlassian Patches Remote Code Execution Vulnerabilities in Confluence and Bamboo (CVE-2023-22505, CVE-2023-22506, & CVE-2023-22508)
Atlassian Confluence Server & Data Center and Bamboo Data Center are affected by high-severity vulnerabilities: CVE-2023-22505, CVE-2023-22506, and CVE-2023-22508. The vulnerabilities may allow attackers to perform remote code execution on successful exploitation. Anonymous researchers have discovered and reported these vulnerabilities to Atlassian via their Bug Bounty and Penetration Testing programs. In February 2023, Atlassian addressed … Continue reading “Atlassian Patches Remote Code Execution Vulnerabilities in Confluence and Bamboo (CVE-2023-22505, CVE-2023-22506, & CVE-2023-22508)”
Citrix Application Delivery Controller (ADC) and Citrix Gateway Multiple Vulnerabilities (CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467)
A new critical severity vulnerability (CVE-2023-3519) in the NetScaler ADC and NetScaler Gateway is being exploited in the wild. CVE-2023-3519 may allow an unauthenticated attacker to perform remote code execution on the target system. The advisory addressed two more vulnerabilities: CVE-2023-3466 CVE-2023-3467 Wouter Rijkbost and Jorren Geurts of Resillion have discovered the vulnerabilities addressed in … Continue reading “Citrix Application Delivery Controller (ADC) and Citrix Gateway Multiple Vulnerabilities (CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467)”
Oracle Patch Tuesday, July 2023 Security Update Review
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products. During Q3 2023 Oracle Critical Patch Update, the … Continue reading “Oracle Patch Tuesday, July 2023 Security Update Review”
