Attackers exploit two Adobe ColdFusion vulnerabilities to bypass authentication and perform remote code execution. CVE-2023-29298 and CVE-2023-38203 can be chained to conduct attacks on Adobe ColdFusion environments. CISA has added CVE-2023-29298 and CVE-2023-38205 to its Known Exploited Vulnerabilities Catalog, recommending users patch before August 10. On January 8, 2024, CISA added the CVE-2023-29300 and CVE-2023-38203 … Continue reading “Adobe ColdFusion Vulnerabilities Exploited in the Attacks in Dropping Webshell (CVE-2023-29298, CVE-2023-29300, and CVE-2023-38203)”
Zimbra Collaboration Suite Cross-Site Scripting (XSS) Zero-day Vulnerability
There is a critical severity vulnerability affecting the Zimbra Collaboration Suite. The cross-site scripting vulnerability allows an attacker to impact the confidentiality and integrity of the user’s data. Zimbra has mentioned in the security update that “The fix is planned to be delivered in the July patch release.” Zimbra Collaboration Suite is a widely deployed … Continue reading “Zimbra Collaboration Suite Cross-Site Scripting (XSS) Zero-day Vulnerability”
Cisco Releases Patch for SD-WAN vManage Unauthenticated REST API Access Vulnerability (CVE-2023-20214)
The Cisco TAC support team has discovered a critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software. CVE-2023-20214 allows an unauthenticated attacker to retrieve information and send data to the configuration of the affected Cisco vManage instance. The Cisco SD-WAN Solution provides an advanced, software-based solution that lowers … Continue reading “Cisco Releases Patch for SD-WAN vManage Unauthenticated REST API Access Vulnerability (CVE-2023-20214)”
FortiOS and FortiProxy Stack-based Buffer Overflow Vulnerability (CVE-2023-33308)
Fortinet has addressed a critical severity vulnerability affecting FortiOS and FortiProxy. CVE-2023-33308 has been given a critical severity rating with a CVSSv3 score of 9.8. Successful exploitation of the vulnerability will allow a remote attacker to execute arbitrary code on target systems. The brain of Fortinet Security Fabric is its network operating system, FortiOS. The Security … Continue reading “FortiOS and FortiProxy Stack-based Buffer Overflow Vulnerability (CVE-2023-33308)”
Microsoft Patch Tuesday, July 2023 Security Update Review
Microsoft has released July’s edition of Patch Tuesday! This installment of security updates addressed 132 security vulnerabilities in various products, features, and roles. Microsoft Patch Tuesday for July 2023 This month’s Patch Tuesday edition has fixed six zero-day vulnerabilities known to be exploited in the wild. Nine of these 132 vulnerabilities are rated as critical … Continue reading “Microsoft Patch Tuesday, July 2023 Security Update Review”
Apple Patches Actively Exploited Zero-day Vulnerability in macOS Ventura, iOS and iPadOS (CVE-2023-37450)
Apple has released patches for an actively exploited zero-day vulnerability in macOS Ventura, iOS, and iPadOS. Apple has mentioned in the advisory that they are aware of the issue being exploited. The vulnerability, CVE-2023-37450, was reported by an anonymous researcher. CISA has added the zero-day vulnerability to its Known Exploited Vulnerabilities Catalog and recommended users … Continue reading “Apple Patches Actively Exploited Zero-day Vulnerability in macOS Ventura, iOS and iPadOS (CVE-2023-37450)”
Progress MOVEit Transfer Multiple Vulnerabilities (CVE-2023-36932, CVE-2023-36933, & CVE-2023-36934)
Multiple Denial of Service and SQL injection vulnerabilities are discovered in the Service Pack program for MOVEit products, including MOVEit Transfer and MOVEit Automation. CVE-2023-36934 is rated as critical, while CVE-2023-36932 and CVE-2023-36933 are rated High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the MOVEit Transfer database and terminate … Continue reading “Progress MOVEit Transfer Multiple Vulnerabilities (CVE-2023-36932, CVE-2023-36933, & CVE-2023-36934)”
WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability (CVE-2023-3460)
WordPress Ultimate Member plugin is vulnerable to a privilege escalation vulnerability that is being exploited in the wild. CVE-2023-3460 has been rated as critical with a CVSS base score of 9.8. The proof of concept for the vulnerability will be released on August 1st, 2023. Ultimate Member is a user profile and membership plugin for … Continue reading “WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability (CVE-2023-3460)”
Citrix ADC and Citrix Gateway Arbitrary File Read and Cross-Site Scripting Vulnerabilities (CVE-2023-24487 & CVE-2023-24488)
Petr Juhanak of Accenture, Dylan Pindur of Assetnote, and Wisdomtree of Ant Group Digital Financial Security Team have discovered two vulnerabilities in Citrix ADC and Citrix Gateway. CVE-2023-24487 may allow attackers to read arbitrary files. CVE-2023-24488 is a cross-site scripting vulnerability that may allow an attacker to execute JavaScript in the victim’s browser. Citrix ADC … Continue reading “Citrix ADC and Citrix Gateway Arbitrary File Read and Cross-Site Scripting Vulnerabilities (CVE-2023-24487 & CVE-2023-24488)”
Fortinet Patches Critical Arbitrary Code Execution Vulnerability in FortiNAC (CVE-2023-33299)
Fortinet addressed an arbitrary code execution vulnerability in FortiNAC. CVE-2023-33299 has been rated as critical with a CVSS base score of 9.6. Florian Hauser from CODE WHITE has discovered and reported the vulnerability to Fortinet. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute unauthorized code on the target system. FortiNAC is … Continue reading “Fortinet Patches Critical Arbitrary Code Execution Vulnerability in FortiNAC (CVE-2023-33299)”
