There is an active exploitation of a remote code execution vulnerability that affects multiple versions of the ZK Framework. Assigned with CVE-2022-36537, the vulnerability may allow an attacker to access critical information by sending a specially crafted POST request to the AuUploader component. Markus Wulftange of Code White GmbH discovered the vulnerability last year, and … Continue reading “ZK Java Framework Remote Code Execution Vulnerability (CVE-2022-36537)”
IBM Aspera Faspex Remote Code Execution Vulnerability (CVE-2022-47986)
IBM has released a security advisory to address ten vulnerabilities affecting its transfer solution Aspera Faspex. CVE-2022-47986 is the only critically rated vulnerability among the ten flaws that IBM addressed. Multiple remote code execution, cross-site scripting (XSS), denial of service (DoS), and other security vulnerabilities have been patched by IBM in this security update. CVE-2022-47986 … Continue reading “IBM Aspera Faspex Remote Code Execution Vulnerability (CVE-2022-47986)”
Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2023-21839)
Oracle WebLogic server is vulnerable to an information disclosure flaw that can lead to remote code execution. Assigned with CVE-2023-21839, an attacker can exploit this vulnerability to gain unauthorized access to critical data. The vulnerability started getting noticed shortly after proof of concept (PoC) was published. Oracle WebLogic Server is a product of Oracle Fusion … Continue reading “Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2023-21839)”
Joomla! Webservice Endpoints Improper Access Control Vulnerability (CVE-2023-23752)
A high-severity improper access control vulnerability has been discovered in various Joomla! CMS instances. Tracked as CVE-2023-23752, the vulnerability may allow an attacker to get unauthorized access to webservice endpoints and access sensitive information of the target application. On January 8, 2024, CISA added the CVE-2023-27524 to the Known Exploited Vulnerabilities Catalog. CISA has recommended users … Continue reading “Joomla! Webservice Endpoints Improper Access Control Vulnerability (CVE-2023-23752)”
VMware Carbon Black App Control Injection Vulnerability (CVE-2023-20858)
VMware patched a critical severity vulnerability in its Carbon Black App Control Server. Assigned with CVE-2023-20858, the vulnerability could allow an attacker to gain complete control of the target system. The vulnerability has a CVSSv3 base score of 9.1. VMware Carbon Black App Control provides application control and critical infrastructure protection. The VMware product … Continue reading “VMware Carbon Black App Control Injection Vulnerability (CVE-2023-20858)”
TerraMaster NAS Remote Code Execution Vulnerability (CVE-2022-24990)
TerraMaster NAS devices are vulnerable to a remote command execution vulnerability that could allow an unauthenticated attacker to execute commands as root. Tracked as CVE-2022-24990, the vulnerability is exploited via PHP Object Instantiation. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requesting users to patch it soon. NAS (network-attached … Continue reading “TerraMaster NAS Remote Code Execution Vulnerability (CVE-2022-24990)”
Citrix Patches Multiple Vulnerabilities in Workspace, Virtual App, and Desktop (CVE-2023-24483, CVE-2023-24484, CVE-2023-24485, CVE-2023-24486)
Citrix has released security advisories to address multiple high-severity vulnerabilities affecting Workspace, Virtual Apps, and Desktops. The vulnerabilities are assigned with CVE-2023-24483, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24486. On successful exploitation, these vulnerabilities can have severe consequences ranging from privilege escalation to session takeover. Citrix products are used in various organizations worldwide for handling multiple operations. … Continue reading “Citrix Patches Multiple Vulnerabilities in Workspace, Virtual App, and Desktop (CVE-2023-24483, CVE-2023-24484, CVE-2023-24485, CVE-2023-24486)”
Apple Patches Zero-day Vulnerability in WebKit (CVE-2023-23529)
Apple has released security advisories to address a vulnerability in WebKit. The vulnerability has been assigned with the CVE-2023-23529. It affects multiple devices, including macOS, iPadOS, and iOS. Apple has mentioned in its advisory that they are aware of a report that the CVE-2023-23529 may have been actively exploited. The zero-day vulnerability might be used … Continue reading “Apple Patches Zero-day Vulnerability in WebKit (CVE-2023-23529)”
The February 2023 Patch Tuesday Security Update Review
Microsoft has released several monthly security fixes and updates for their products. Let’s take a look at the highlights of this month’s Patch Tuesday as we review and discuss the security updates. Microsoft Patches for February 2023 Microsoft has patched 79 vulnerabilities this month, including 3 Microsoft Edge-related vulnerabilities that were fixed earlier this month. … Continue reading “The February 2023 Patch Tuesday Security Update Review”
VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)
VMware has released a patch for the cross-site request forgery vulnerability in the VMware vRealize Operations (vROps). Tracked as CVE-2023-20856, this vulnerability can be exploited by a malicious attacker to execute actions on the target platform on behalf of the authenticated victim user. VMware vRealize® Operations automates and streamlines IT administration. The tool offers … Continue reading “VMware vRealize Operations (vROps) Cross-Site Request Forgery Bypass Vulnerability (CVE-2023-20856)”
