Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.

Switch branch/tag

*   cves
*   2021
*   **CVE-2021-39916.json**

Find file BlameHistoryPermalink

*   ![🤖 GitLab Bot 🤖's avatar](https://gitlab.com/uploads/-/system/user/avatar/1786152/avatar.png?width=40 "🤖 GitLab Bot 🤖")
    
    Publishing 0 updated advisories and 1 new advisories · 54ece741
    
    🤖 GitLab Bot 🤖 authored Dec 13, 2021
    
    54ece741
    

**CVE-2021-39916.json** 2.68 KB

EditWeb IDE

**Replace CVE-2021-39916.json**

Attach a file by drag & drop or click to upload

  

Commit message

Cancel

GitLab will create a branch in your fork and start a merge request.

CVE-2021-39916: 2021/CVE-2021-39916.json · master · GitLab.org / cves

Missing Support for an Integrity Check in Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 allows attackers to update the device with crafted firmware

**Tenda CP3 Malicious Upgrade****CVE Number**

TBA

**Summary**

It is possible to trigger the update of the Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 using maliciously-forged firmware images.

**Tested Versions**

Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355

**Product URLs**

Vendor Website

**CVSSv3 Score**

TBA

**CWE**

*   CWE-798: Use of Hard-coded Credentials
*   CWE-353: Missing Support for Integrity Check

**Details**

By triggering the update procedure on the camera with a maliciously-modified firmware it is possibile to overwrite the official firmware and to prevent future updates. Any modification to the firmware is persistent.

CVE-2023-30356: ACES/tmp_MU.md at master · SECloudUNIMORE/ACES

The Java Admin Console in Veritas NetBackup through 10.1 and related Veritas products on Linux and UNIX allows authenticated non-root users (that have been explicitly added to the auth.conf file) to execute arbitrary commands as root.

**Revision History**

*   November 15, 2022 – Initial Public Release

**Summary**

Veritas has addressed an OS Command Injection vulnerability affecting the NetBackup Java Admin Console. Please see the “Notes” section below to determine if you are vulnerable to this issue. Only users explicitly added to the auth.conf file can exploit this vulnerability.

**Issues****OS Command Injection vulnerability**

A vulnerability in the NetBackup Java Admin Console allows authenticated non-root users that have been explicitly added to the auth.conf file to execute arbitrary commands as root.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*   Potentially impacted components: Primary servers, Media servers, and Clients. (See Notes below).
*   Recommended action:
    *   NetBackup: Upgrade to 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1, 10.0.0.1 or 10.1 and apply corresponding Hotfix
    *   NetBackup Appliance: Upgrade to 3.2, 3.3.0.1, 3.3.0.2, 4.0.0.1, 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances.
    *   Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

**Notes**

The /usr/openv/java/auth.conf file grants access to functions in the NetBackup Administration Console. This file is created by default with only root having administrative rights. This file is present on Primary Servers, Media Servers and Clients.

Unless auth.conf is modified by adding non-root users to it and allowing those users to manage Primary servers or Media servers or Clients, the environment is NOT vulnerable, and the fix is not required.

This affects only Unix-based servers and clients. Windows-based servers and clients are unaffected.

The fix updates the vulnerable bpjava binary on the target system that the Java Admin UI console connects to.

For more details about auth.conf please see: https://www.veritas.com/content/support/en\_US/doc/21733320-149123528-0/v41641695-149123528

**Questions**

For questions or problems regarding this advisory please contact Veritas Technical Support (https://www.veritas.com/support)

**Acknowledgement**

Veritas would like to thank the Nordea Backup Team for reporting the issue to us.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-45461: Hotfix for Security Advisory Impacting NetBackup Java Admin Console

Users with only access to launch VDA applications can launch an unauthorized desktop


CTX559370

{{tooltipText}}

Security Bulletin | Severity: Medium | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}} | Status: Final

**Description of Problem**

A vulnerability has been identified that impacts Virtual Delivery Agents for Windows or Linux used by Citrix Virtual Apps and Desktops and Citrix DaaS. 

The vulnerability affects the following supported versions of **Windows Virtual Delivery Agent**: 

Current Release (CR)

*   Citrix Virtual Apps and Desktops versions **before** 2305 

Long Term Service Release (LTSR)

*   Citrix Virtual Apps and Desktops 2203 LTSR **before** CU3
*   Citrix Virtual Apps and Desktops 1912 LTSR **before** CU7

The vulnerability affects the following supported versions of **Linux Virtual Delivery Agent**: 

Current Release (CR)

*   Linux Virtual Delivery Agent versions **before** 2305

Long Term Service Release (LTSR)

*   Linux Virtual Delivery Agent 2203 LTSR **before** CU3
*   Linux Virtual Delivery Agent 1912 LTSR **before** CU7 hotfix 1(19.12.7001)

The vulnerability has been given the following identifier: 

CVE ID

Description

Pre-requisites

CWE

CVSS

CVE-2023-24490

Users with only access to launch VDA applications can launch an unauthorized desktop

Authorized user with the ability to launch a virtual application

Improper Access ControlCWE-284

6.3

**What Customers Should Do**

Citrix strongly recommends that customers upgrade their Windows and Linux Virtual Delivery Agents to versions that contain the fixes as soon as possible.  

Windows Virtual Delivery Agent versions that contain the fixes are: 

*   Citrix Virtual Apps and Desktops 2305 and later versions 
*   Citrix Virtual Apps and Desktops 2203 LTSR CU3 and later cumulative updates
*   Citrix Virtual Apps and Desktops 1912 LTSR CU7 and later cumulative updates

Linux Virtual Delivery Agent versions that contain the fixes are: 

*   Linux Virtual Delivery Agent 2305 and later versions
*   Linux Virtual Delivery Agent 2203 LTSR CU3 and later cumulative updates
*   Linux Virtual Delivery Agent 1912 LTSR CU7 hotfix 1(19.12.7001) and later cumulative updates

**Note: Customers are recommended only to upgrade their Windows and Linux Virtual Delivery Agents to address this vulnerability.** 

The latest versions of Citrix Virtual Apps and Desktops are available from the following Citrix website location: 

https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/

Extended support customers are recommended to contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/en-gb/support/open-a-support-case/  

  
**Additional Information:**

Citrix Virtual Apps and Desktops and Citrix DaaS customers may use Citrix provisioning services, Machine creation services technologies, if applicable to update their non persistent Virtual Delivery Agents.

Citrix DaaS customers may use VDA Upgrade Service (VUS) to update their Windows persistent Virtual Delivery Agents for Remote PC Access, HDX Plus for Windows 365, and any other persistent or provisioned and dedicated catalogs. Customers are recommended to review the VUS Prerequisites to determine if they can use the VDA Upgrade Service.

**Acknowledgements**

Citrix would like to thank the Lockheed Martin Red Team for working with us to protect Citrix customers.

**What Citrix is Doing**

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

**Obtaining Support on This Issue**

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

**Subscribe to Receive Alerts**

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

**Reporting Security Vulnerabilities to Citrix**

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

**Changelog**

2023-06-13 T 13:30:00Z

Initial publication

2023-06-14 T 20:00:00Z

Added clarification in the 'What customers should do' section

CVE-2023-24490: Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490

Financial Business and Consumer Solutions has filed a notification of a data breach which affects over 3 million US citizens.

The US debt collection agency Financial Business and Consumer Solutions (FBCS) has filed a data breach notification, listing the the total number of people affected as 3,226,631.

FBCS is a nationally licensed, third-party collection agency that collects commercial and consumer debts, with most of its activity involving the recovery of consumer debts on behalf of creditors. According to the official statement provided by FBCS, the exposed data includes:

*   Full names
*   Social security numbers
*   Birth dates
*   Account information
*   Drivers license or other state ID numbers

In some cases, it also includes medical claims information, provider information, and clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS has sent data breach notifications to those affected, detailing what data was compromised and offering 12 months of free credit monitoring.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Scan for your exposed personal data**

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Debt collection agency FBCS leaks information of 3 million US citizens 

Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

CVE-2022-34178: Jenkins Security Advisory 2022-06-22

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.



**Apache Superset has incorrect authorization check**

Moderate severity GitHub Reviewed Published Sep 6, 2023 to the GitHub Advisory Database • Updated Sep 7, 2023

GHSA-95ch-p3gw-23qg: Apache Superset has incorrect authorization check

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files.

This issue was resolved in 9.8 SP5 Critical Patch 2.

CVE-2022-40980

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

CVE-2022-24262: News - VoIPmonitor

lpar2rrd is a hardcoded system account in XoruX LPAR2RRD and STOR2RRD before 7.30.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us