Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

23andMe data breach under joint investigation in two countries

Canada's and UK privacy authorities are going to investigate the data breach at 23andMe to assess what the company could have done better.

Malwarebytes
Open in Source
#web#git#auth
CVE-2024-35265: Windows Perception Service Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could create or delete files in the security context of the “NT AUTHORITY\\ LOCAL SERVICE” account.

CVE-2024-35263: Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

CVE-2024-35249: Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

CVE-2024-30097: Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?** An unauthorized attacker must wait for a user to initiate a connection.

CVE-2024-29187: GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM

**According to the CVSS metric, user interaction is required (UI:R) and privileges required  is low (PR:L). What does that mean for this vulnerability?** An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2023-50868: MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU

**Why is the MITRE Corporation the assigning CNA (CVE Numbering Authority)?** CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf. Please see CVE-2023-50868 for more information.

CVE-2024-29060: Visual Studio Elevation of Privilege Vulnerability

**According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability?** An authorized attacker could create a malicious extension and then wait for an authenticated user to create a new Visual Studio project that uses that extension. The result is that the attacker could gain the privileges of the user.

CVE-2024-30066: Winlogon Elevation of Privilege Vulnerability

**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of integrity (I:H). What does that mean for this vulnerability?** An authenticated attacker could replace valid file content with specially crafted file content.

CVE-2024-30077: Windows OLE Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user (UI:R) into attempting to connect to a malicious SQL server database via a connection driver (for example: OLE DB or OLEDB as applicable). This could result in the database returning malicious data that could cause arbitrary code execution on the client.