Veeam has patched a high-severity vulnerability in its Veeam Backup & Replication product. Assigned with CVE-2023-27532, the vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely. The proof-of-concept (PoC) for this vulnerability is publicly available. Markus Wulftange, a security researcher at CODE WHITE GmbH, has published the PoC. CISA has added … Continue reading “Veeam Backup and Replication Access Control Vulnerability (CVE-2023-27532)”
Apache Patches HTTP Request Splitting Vulnerabilities in its HTTP Server (CVE-2023-25690 and CVE-2023-27522)
Apache has released a new HTTP Server version to address two security flaws; CVE-2023-25690 and CVE-2023-27522. The vulnerabilities may allow an attacker to perform HTTP smuggling attacks on a vulnerable server. On successful exploitation, these vulnerabilities could result in information disclosure and enable attackers to execute further attacks. The Apache HTTP Server, also called … Continue reading “Apache Patches HTTP Request Splitting Vulnerabilities in its HTTP Server (CVE-2023-25690 and CVE-2023-27522)”
Fortinet FortiOS Path Traversal Vulnerability (CVE-2022-41328)
Fortinet has recently issued advisories and warnings regarding several vulnerabilities in its products, including FortiOS, FortiProxy, and FortiSwitchManager. One of the most critical vulnerabilities is a path traversal vulnerability in FortiOS (CVE-2022-41328). A privileged attacker may read and write arbitrary files via crafted CLI commands. Threat groups have been using zero-day exploits to abuse the … Continue reading “Fortinet FortiOS Path Traversal Vulnerability (CVE-2022-41328)”
The March 2023 Patch Tuesday Security Update Review
Microsoft has released its monthly security update for March 2023. This month’s updates addressed various vulnerabilities in different products. Let’s go through this month’s Patch Tuesday details and discuss the security updates. Microsoft Patches for March 2023 Microsoft has addressed 101 vulnerabilities in the month of March, including 22 Microsoft Edge (Chromium-based) vulnerabilities. Microsoft has … Continue reading “The March 2023 Patch Tuesday Security Update Review”
Jenkins Server Cross-Site Scripting (XSS) Vulnerability (CVE-2023-27898)
Researchers from Aqua Nautilus have identified a series of flaws in the widely used Jenkins Server and Update Center that they have termed CorePlague (CVE-2023-27898 and CVE-2023-27905). An unauthenticated attacker might be able to execute arbitrary code on the victim’s Jenkins server by exploiting these vulnerabilities. Successful exploitation could result in a complete compromise of … Continue reading “Jenkins Server Cross-Site Scripting (XSS) Vulnerability (CVE-2023-27898)”
CISA Added GLPI Command Injection Vulnerability to its KEV Catalog (CVE-2022-35914)
GLPI, an open-source IT Asset Management software, is vulnerable to a command injection flaw that could lead to remote code execution on successful exploitation. The critical severity vulnerability is tracked as CVE-2022-35914 and has a CVSSv3 score of 9.8. GLPI patched the vulnerability on September 14, 2022. The advisory states, “CVE-2022-35914 has been massively exploited … Continue reading “CISA Added GLPI Command Injection Vulnerability to its KEV Catalog (CVE-2022-35914)”
FortiOS and FortiProxy Heap Buffer Underflow Vulnerability (CVE-2023-25610)
Fortinet has released a security update to fix a heap buffer underflow vulnerability in its products such as FortiOS and FortiProxy. CVE-2023-25610 has been rated as critical with a CVSSv3 score of 9.3. On successful exploitation, the vulnerability can allow an unauthenticated, remote attacker to execute arbitrary code on the target system and/or perform a DoS … Continue reading “FortiOS and FortiProxy Heap Buffer Underflow Vulnerability (CVE-2023-25610)”
Zoho Patched Remote Code Execution Vulnerability in ManageEngine ADSelfService Plus (CVE-2022-28810)
Multiple Zoho ManageEngine ADSelfService Plus instances are vulnerable to a vulnerability that could allow an authenticated end-user to gain remote code execution on a vulnerable ADSelfService Plus. Assigned with CVE-2022-28810, the vulnerability was fixed by Zoho on April 9, 2022, but the flaw is being exploited in the wild. CISA has added the vulnerability … Continue reading “Zoho Patched Remote Code Execution Vulnerability in ManageEngine ADSelfService Plus (CVE-2022-28810)”
Apache Spark Command Injection Vulnerability (CVE-2022-33891)
Kostya Kortchinsky has discovered a command injection vulnerability in the Apache Spark User Interface (UI). Assigned with CVE-2022-33891, the vulnerability can be exploited when Access Control Lists (ACLs) are enabled. Apache fixed the vulnerability on July 18, 2022; however, the flaw is being exploited in the wild. CISA has added the vulnerability to its Known … Continue reading “Apache Spark Command Injection Vulnerability (CVE-2022-33891)”
Cisco Patched Multiple Vulnerabilities in IP Phone 6800, 7800, 7900, and 8800 Series (CVE-2023-20078 & CVE-2023-20079)
Cisco has released a security advisory to address two critical vulnerabilities in its IP Phone 6800, 7800, 7900, and 8800 Series Web UI. CVE-2023-20078 may allow an unauthenticated, remote attacker to inject arbitrary commands executed with root privileges. CVE-2023-20079 may allow an unauthenticated, remote attacker to reload the affected device, resulting in a … Continue reading “Cisco Patched Multiple Vulnerabilities in IP Phone 6800, 7800, 7900, and 8800 Series (CVE-2023-20078 & CVE-2023-20079)”
